We have been asked if S/Notify is affected by the Log4j vulnerability that has just been filed under CVE-2021-44228 (also referred to as Log4Shell) in the National Vulnerability Database of NIST.
The short answer is: no.
Now here’s the longer answer:
S/Notify internally uses the slf4j library for logging purposes, so our apps are not directly affected.
You may be interested to know that the source codes of S/Notify are scanned for vulnerabilities in its libraries according to the National Vulnerability Database on regular basis.
However, slf4j logging can be redirected to whatever the host application (Jira, Confluence etc.) uses. So, while we are not logging with the affected Log4j, the issue might theoretically be deferred to the host logging.
Atlassian is currently investigating, but does not expect to find issues. Please follow Atlassian’s FAQ for CVE-2021-44228 for details and updates.
We’ll update this blog page if we receive any relevant updates.