On December 10, 2021, a remote code execution vulnerability has been identified in the popular Apache Log4j2 library, now known as Log4Shell. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar.
We assessed all of our apps in the Atlassian Marketplace and none of our Server, Data Center or Cloud apps are affected by CVE-2021-44228.
Our Server and Data Center apps use the logging infrastructure supplied by the Atlassian host application (Confluence, Jira), which is generally considered non-vulnerable, although an insecure configuration can be created. We recommend following up on the Atlassian Security Advisory on CVE-2021-44228 regarding Atlassian's on-premise host applications.
Our Cloud apps do not use the log4j-core library.
If you have additional questions, please do not hesitate to reach out to us via our Support Portal.