Installed Version 7.17.4
Per https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html the mitigation for the BUNDLED elastic search is to set formatMsgNoLookups=true.
HOWEVER, per Apache - Log4j – Apache Log4j Security Vulnerabilities - we discovered that these measures only limit exposure while leaving some attack vectors open.
VENDOR updated their guidance - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Announcements / Security Announcements - Discuss the Elastic Stack - to update to 7.16.2 and 6.8.22.
Can an official response be provided directly to address all THREE vulnerabilities as they relate to the BUNDLED elastic search install? CVE-2021-44228, CVE-2021-45046, CVE-2021-45105.
Which version of ElasticSearch is shipped with the latest patched versions? Will a new release be provided that strips out the JndiLookup.class file entirely per Apache recommendation if you can't update due to licensing? Is there official guidance how to switch from the bundled to a self-install that potentially is fully patched?
@Daniel Eads , the article does not fully answer my questions. Namely:
> Neither Bitbucket Server nor Data Center use Log4j, they use Logback.
Is BitBucket susceptible to CVE-2021-42550 relating to LogBack?
> Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch ... Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
Notice the linked article talks about only one of the CVE. I asked about the remaining two. Obviously the update from Dec 16 doesn't help for CVE announced on Dec 18, especially since Elastic has updated their advisory and Atlassian did not.