Exalate response to Log4j vulnerability - CVE-2021-44228

Originally asked by Francis Martens (Exalate) on 14 December 2021 (original question)


As published here

On Saturday, December 10, 2021 - we were made aware of the Log4j vulnerability in the apache logging framework (CVE-2021-44228).

The results of our investigation is that Exalate is NOT affected by this vulnerability as Exalate is using another logging framework.

There might be a risk for ‘Exalate for Jira On Premise’, which is using the logging framework provided by Jira - Atlassian confirmed here that Jira itself is not vulnerable but the advice is to check for ‘org.apache.log4j.net.JMSAppender’ in the log4j.properties file.

Please reach out to our Support in case of questions.