Hi
Our bamboo seems to use
[root@org-bamb1-prod1 ~]# find / -type f -name "*log4j*.jar"
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-api-2.9.0.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-to-slf4j-2.9.0.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/slf4j-log4j12-1.7.31.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-api-2.9.0.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-to-slf4j-2.9.0.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/slf4j-log4j12-1.7.25.jar
Based on ref: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
I'm unable to find any thing org.apache.log4j.net.JMSAppender in log4j.properties in bamboo.
Could you please suggest us, is my device affected or not?
Hi all,
Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.
More information can be found on our advisory page, as well as the previously-published FAQ:
Thanks,
Daniel Eads | Atlassian Support
@Alexey Chystoprudov @Daniel Eads
Me to getting the below results in Bitbucket Server 7.16.0v:
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-api-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-core-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-api-2.11.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-core-2.11.1.jar
is my device effected?
shall keep or remove the log4j-api-2.14.1.jar file from bitbucket.
Hi all,
Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:
Thanks,
Daniel Eads | Atlassian Support