Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

When is Confluence Servers Log4j version being upgraded to Log4J 2.17.0 (or later)?


Bear with me here,

This article outlines the following summary:

  • No Atlassian on-premises products are vulnerable to CVE-2021-44228.
  • Some on-premises products utilise a Atlassian-maintained fork of Log4j 1.2.17, which while not vulnerable to CVE-2021-44228, is vulnerable to a new but similar vulnerability that can be exploited when a trusted party is present and the JMS Appender is enabled in configuration (non-default). 
  • Two similar vulnerabilities discovered in non-default configurations of Log4j are:
    • 2.0-beta9 to 2.15.0 (inclusive) are affected by CVE-2021-45046
    • 2.0-alpha1 through 2.16.0 (excluding 2.12.3) are affected by CVE-2021-45105
    • Neither of these vulnerability applies to Atlassian's Log4j 1.x maintained fork as outlined in this FAQ page.

Now, regardless of the above summary, Atlassian go on to say:

"Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 and CVE-2021-45105 by upgrading to log4j 2.17.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."

Atlassian do not go on to mention within the article itself what category these two vulnerabilities fall under (Critical, High, Medium or Low), however, we know the following!

The record date of CVE-2021-45046 was 14th Dec 2021 and has a base score of 9.0. Categorising this as Critical by Atlassian's Bugfix Policy.

The record date of CVE-2021-45105 was 16th Dec 2021 and has a base score of 5.9. Categorising this as Medium by Atlassian's Bugfix Policy.

Meaning, both CVE's "should be patched within 90 days of being reported".

This lands on the March 14th and 16th, 2022 as the date Confluence devs should have upgraded server distro's that include "Log4j 2.17.0 (or later)". Around 3 weeks after this Post! They have some time, granted!

Am I wrong in all of the above thoughts and findings?  

1 comment

Daniel Ebers Community Leader Aug 18, 2022

Hi @Samuel Leung

reviewing I seem to understand log4j (v2) will be included in version 8 (at least according to the fixVersion of the issue).


Like Samuel Leung likes this


Log in or Sign up to comment

Atlassian Community Events