Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,975
Community Members
 
Community Events
165
Community Groups

Log4J vulnerability - Bamboo

Edited

Hi

Our bamboo seems to use 

[root@org-bamb1-prod1 ~]# find / -type f -name "*log4j*.jar"

/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-api-2.9.0.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/log4j-to-slf4j-2.9.0.jar
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib/slf4j-log4j12-1.7.31.jar

/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-api-2.9.0.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/log4j-to-slf4j-2.9.0.jar
/opt/atlassian/bamboo-7.2.1/atlassian-bamboo/WEB-INF/lib/slf4j-log4j12-1.7.25.jar

 

Based on ref: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

I'm unable to find any thing org.apache.log4j.net.JMSAppender in log4j.properties in bamboo. 

Could you please suggest us, is my device affected or not?

4 comments

If you don't use JMSAppender your device is not affected according to our knowledge about this attack vector for now. In case of any changes or new vectors identified page  https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html will be updated

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

Thanks,
Daniel Eads | Atlassian Support

@Alexey Chystoprudov @Daniel Eads 

Me to getting the below results in Bitbucket Server 7.16.0v:

/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-api-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-core-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-api-2.11.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-core-2.11.1.jar

is my device effected?

shall keep or remove the log4j-api-2.14.1.jar file from bitbucket. 

Daniel Eads Atlassian Team Dec 15, 2021

Hi all,

Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:

Thanks,
Daniel Eads | Atlassian Support 

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Bamboo

Bamboo Data Center on Kubernetes

Hi, If you are running self-managed environments and looking to adopt modern infrastructure, Bamboo Data Center can now be deployed in a Kubernetes cluster. By leveraging Kubernetes, you can easily...

963 views 3 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you