JetBrains Youtrack application has been impacted by Log4J vulnerability. And Youtrack incloud has been already patched so no exploitations can occur whereas Youtrack standalone version needs to be patched immediately to prevent the log4j vulnerability being exploited. if you are using YouTrack Standalone 2017.4 or earlier, then you are not affected whereas if you are using YouTrack Standalone 2018.1 or later then you might be affected by this vulnerability.
Versions affected: 2018.1 to 2021.4.35732
Steps to be taken for Mitigation:
Youtrack version | Status | Mitigation |
2018.1 to 2021.2 | Affected | Upgrade to 2021.4.35372. |
2021.3 to 2021.4.35732 | Affected | Upgrade to 2021.4.35970. |
2018.1 to 2021.2 with External Hub | Affected | Upgrade to 2021.4.35970, |
Source: https://blog.jetbrains.com/youtrack/2021/12/youtrack-update-regarding-log4j2-vulnerability/
Though the above blog posts says this can be mitigated by setting up Dlog4j2.formatMsgNoLookups to true. It seems this is not true as the vulnerability can be still exploited even if it’s not set to true. There might be further updates as log4j 2.16.0 has been already released.