Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bundled ElasticSearch and Log4j 2.17

Moshe A
Moshe A December 22, 2021

Installed Version 7.17.4

Per https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html the mitigation for the BUNDLED elastic search is to set formatMsgNoLookups=true. 

HOWEVER, per Apache - Log4j – Apache Log4j Security Vulnerabilities -  we discovered that these measures only limit exposure while leaving some attack vectors open.

VENDOR updated their guidance - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Announcements / Security Announcements - Discuss the Elastic Stack - to update to 7.16.2 and 6.8.22.

Can an official response be provided directly to address all THREE vulnerabilities as they relate to the BUNDLED elastic search install? CVE-2021-44228, CVE-2021-45046, CVE-2021-45105.

Which version of ElasticSearch is shipped with the latest patched versions? Will a new release be provided that strips out the JndiLookup.class file entirely per Apache recommendation if you can't update due to licensing? Is there official guidance how to switch from the bundled to a self-install that potentially is fully patched?

Answer
Watch
Like Be the first to like this
1542 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 22, 2021

Hi @Moshe A ,

The additional FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 covers all three mentioned CVEs.

Cheers,
Daniel | Atlassian Support

View More Comments
Moshe A
Moshe A December 23, 2021

@Daniel Eads , the article does not fully answer my questions. Namely:

 

> Neither Bitbucket Server nor Data Center use Log4j, they use Logback.

Is BitBucket susceptible to CVE-2021-42550 relating to LogBack? 

 

> Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch ... Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Notice the linked article talks about only one of the CVE. I asked about the remaining two. Obviously the update from Dec 16 doesn't help for CVE announced on Dec 18, especially since Elastic has updated their advisory and Atlassian did not.

Like John Reynolds likes this
Moshe A
Moshe A December 24, 2021

@Daniel Eads ping ... CVE-2021-42550 was patched in latest 7.19.2 but not LTS 7.17.x and no statement has been made.

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 6, 2022

Please see BSERV-13093 for details around the Logback version upgrade in Bitbucket Server, related to CVE-2021-42550. The upgrade for 7.17.x is slated for 7.17.5 which has not been released yet.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
SERVER
VERSION
7.17.4
TAGS
AUG Leaders

Atlassian Community Events

    See all events