What is Log4shell?
On December 9th, 2021, CVE-2021-44228, a zero-day vulnerability in Log4j colloquially named “Log4Shell,” was found in the wild. Log4j is the most popular java logging framework used by Java software. Most Java developers include it in their builds, and it handles all of the logging for them, which is why this tool is so ubiquitous.
Log4shell targets a critical RCE vulnerability in Log4j and is especially dangerous because it can run virtually ANY code via your server. It can do so remotely without authentication and requires an attacker to have a minimal skill set to use it. Given the near-universal use of Log4j in Java applications, immediate action was needed from software developers and SAAS providers to mitigate damage and eliminate vulnerability to this exploit.
Is My Organization at Risk?
Atlassian became aware of Log4shell on December 9th and released the following statements:
Are Cloud instances affected?
No, Atlassian customers are not vulnerable, and no action is required. This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems.
For Atlassian Cloud products, the framework provided by Atlassian for Apps ensures that they are not vulnerable to Log4shell. Atlassian will continue monitoring and reviewing marketplace apps to ensure they are not susceptible to Log4shell or other similar exploits.
The bottom line is, if you are using Atlassian products in their Cloud, you are safe from Log4shell.
Users of Atlassian on-prem tools are also safe; however, per the statement below, there is a slight chance that a trusted party can exploit a vulnerability:
Is my on-premises Server/Data Center instance affected?
Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228.
Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.
According to Atlassian’s Severity Levels for Security Issues, vulnerabilities in the low range typically have minimal impact on an organization’s business. The exploitation of such vulnerabilities usually requires local or physical system access.
With that said, Low risk is not the same as no risk. The impending end of support for Atlassian’s server products has already made Cloud migration a near to medium-term goal for many organizations. In light of vulnerabilities such as Log4shell, many customers now consider Cloud migration a top priority to ensure their data is not at risk.
Migrating to the Atlassian Cloud
Risk mitigation is far from the only reason to choose the Atlassian Cloud. It offers a fully hosted & managed infrastructure, automatic updates, and robust security, all with no hosting or maintenance overhead. With the Atlassian Cloud, you will get immediate access to the latest features, security updates, and more automatically, without the need for planning, resource allocation, or downtime. By far, the most compelling aspect of the Cloud is that it allows you and your teams to focus time, energy, and resources on your core business. You get to choose how you spend your time, meeting mission-critical goals for your business and customers.
Addteq – your Cloud migration partner
Cloud migration isn’t as simple as moving data or applications to the Cloud. To be successful, you need to thoroughly assess existing workloads and processes, involve your key stakeholders, and explore all of your cloud options. You’ll need to plan your strategy, review security, compliance, and support aspects, back up data, and train users on new and improved features. Cloud migrations are a significant undertaking. To guarantee success, you need to work with an experienced partner who will be with you every step of the way on your migration journey.
With over 15 years of experience providing custom solutions to a wide variety of customers, Addteq is here as your Cloud Migration Partner. We have performed many migrations spanning organizations of all sizes, from small, independent businesses to enterprise-level organizations. We have successfully migrated over 500 thousand Atlassian and DevOps users across on-premise and cloud environments. As your Cloud Migration Partner, we will work closely with you and your teams to assess your current environment, recommend a migration strategy, build and execute a migration plan, and provide support once you have transitioned to the Cloud. If a custom solution is required, we can create one that meets all of your needs.
As an Atlassian Platinum Partner, Addteq has the industry knowledge and technical experience to work with the full suite of Atlassian products and the vast library of applications in the Atlassian marketplace. We provide a range of accredited Atlassian consulting, migration, and training services, along with integrations and customizations to organizations across all industries. Our advanced knowledge of Atlassian Cloud products, including product configuration expertise, customized solutions, and implementation services, enables us to power innovation for organizations making the most of the Atlassian Cloud.
Our large pool of Atlassian SMEs build partnerships based on mutually beneficial relationships. By investing time, implementing the right resources, and focusing on open communication, our Atlassian experts have what it takes to provide solutions that best fit the needs of your business, regardless of size or type. We’ve been there, and we’ve done this – and we’d love the opportunity to help with your migration.
Let Addteq Assess Your Current Environment
Addteq will provide you with a FREE Migration Readiness Assessment to determine your current setup and specialized situations. Your custom assessment will include license & app assessment, migration steps, major blockers, and much more.
This assessment will help you answer:
- Which service tier should we choose – Standard, Premium, or Enterprise?
- Can we migrate all of our marketplace apps and their data?
- How can we maintain GDPR or other forms of compliance?
- Should we stick with our Server instance until the end of support in 2024?
We are here to help answer these and any questions you may have. When you are ready to take the next step, let us know how to help you forge a path and ensure success in the Cloud.