In our investigation of the version of org.apache.log4j being used within Atlassian products (v1.2.17), we also found a reference to an older vulnerability CVE-2019-17571, referenced here: https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#log4j-v1https://www.cvedetails.com/cve/CVE-2019-17571/
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17."
Internal investigations have found that the vulnerable classes have been removed from the packages included in Atlassian products.
As per notice on the FAQ for CVE-2021-44228, Atlassian products are using a fork of log4j 1.2.17 maintained by Atlassian themselves.
We have found the following reference about work done to mitigate this in Fisheye: https://jira.atlassian.com/browse/FE-7344
We have requested clarification from Atlassian and it has been confirmed that the affected classes have indeed been removed by Atlassian as part of the preparing their forked version of the package.