Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Bundled ElasticSearch and Log4j 2.17

Installed Version 7.17.4

Per the mitigation for the BUNDLED elastic search is to set formatMsgNoLookups=true. 

HOWEVER, per Apache - Log4j – Apache Log4j Security Vulnerabilities -  we discovered that these measures only limit exposure while leaving some attack vectors open.

VENDOR updated their guidance - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Announcements / Security Announcements - Discuss the Elastic Stack - to update to 7.16.2 and 6.8.22.

Can an official response be provided directly to address all THREE vulnerabilities as they relate to the BUNDLED elastic search install? CVE-2021-44228, CVE-2021-45046, CVE-2021-45105.

Which version of ElasticSearch is shipped with the latest patched versions? Will a new release be provided that strips out the JndiLookup.class file entirely per Apache recommendation if you can't update due to licensing? Is there official guidance how to switch from the bundled to a self-install that potentially is fully patched?

1 answer

0 votes
Daniel Eads Atlassian Team Dec 22, 2021

Hi @Moshe A ,

The additional FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 covers all three mentioned CVEs.

Daniel | Atlassian Support

@Daniel Eads , the article does not fully answer my questions. Namely:


> Neither Bitbucket Server nor Data Center use Log4j, they use Logback.

Is BitBucket susceptible to CVE-2021-42550 relating to LogBack? 


> Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch ... Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Notice the linked article talks about only one of the CVE. I asked about the remaining two. Obviously the update from Dec 16 doesn't help for CVE announced on Dec 18, especially since Elastic has updated their advisory and Atlassian did not.

Like John Reynolds likes this

@Daniel Eads ping ... CVE-2021-42550 was patched in latest 7.19.2 but not LTS 7.17.x and no statement has been made.

Daniel Eads Atlassian Team Jan 06, 2022

Please see BSERV-13093 for details around the Logback version upgrade in Bitbucket Server, related to CVE-2021-42550. The upgrade for 7.17.x is slated for 7.17.5 which has not been released yet.

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events