Summary
This zero day exploit affects log4j 2.x+ which Jira, confluence A vulnerability affecting the Java logging library Apache Log4j 2 has been publicly disclosed for versions prior to 2.15.0. On-premises Jira and Confluence instances, and by extension, our apps do not use the affected library. However, your instance may still be exposed depending on local configuration.
Default on-premises Jira/Confluence configurations are not vulnerable
Jira /and Confluence ships with use log4j 1.2.x that by default is not vulnerable . Customizations to log4j config unless customizations are made to the local log4j configuration. This canintroduce the exploit, see vulnerability. See the Atlassian FAQ for more:
All our apps use the Platform provided log4j implementation which is 1.2.x
Validation
We did have performed our own validation using https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce through which we verified the exploit, we verified then a proof-of-concept found online. We verified that the version of log4j shipped with Atlassian Jira did not result in a replication when using the default logger configuration.
JEMH
...
specific testing
As JEMH specifically processes user generated content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.
Related links:
This is duped in KB: CVE-2021-44228 - log4shell, and CVE-2021-45046