Bear with me here,
This article outlines the following summary:
Now, regardless of the above summary, Atlassian go on to say:
"Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 and CVE-2021-45105 by upgrading to log4j 2.17.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."
Atlassian do not go on to mention within the article itself what category these two vulnerabilities fall under (Critical, High, Medium or Low), however, we know the following!
The record date of CVE-2021-45046 was 14th Dec 2021 and has a base score of 9.0. Categorising this as Critical by Atlassian's Bugfix Policy.
The record date of CVE-2021-45105 was 16th Dec 2021 and has a base score of 5.9. Categorising this as Medium by Atlassian's Bugfix Policy.
Meaning, both CVE's "should be patched within 90 days of being reported".
This lands on the March 14th and 16th, 2022 as the date Confluence devs should have upgraded server distro's that include "Log4j 2.17.0 (or later)". Around 3 weeks after this Post! They have some time, granted!
Am I wrong in all of the above thoughts and findings?