Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bundled ElasticSearch and Log4j 2.17

Installed Version 7.17.4

Per https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html the mitigation for the BUNDLED elastic search is to set formatMsgNoLookups=true. 

HOWEVER, per Apache - Log4j – Apache Log4j Security Vulnerabilities -  we discovered that these measures only limit exposure while leaving some attack vectors open.

VENDOR updated their guidance - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Announcements / Security Announcements - Discuss the Elastic Stack - to update to 7.16.2 and 6.8.22.

Can an official response be provided directly to address all THREE vulnerabilities as they relate to the BUNDLED elastic search install? CVE-2021-44228, CVE-2021-45046, CVE-2021-45105.

Which version of ElasticSearch is shipped with the latest patched versions? Will a new release be provided that strips out the JndiLookup.class file entirely per Apache recommendation if you can't update due to licensing? Is there official guidance how to switch from the bundled to a self-install that potentially is fully patched?

1 answer

0 votes
Daniel Eads Atlassian Team Dec 22, 2021

Hi @Moshe A ,

The additional FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 covers all three mentioned CVEs.

Cheers,
Daniel | Atlassian Support

@Daniel Eads , the article does not fully answer my questions. Namely:

 

> Neither Bitbucket Server nor Data Center use Log4j, they use Logback.

Is BitBucket susceptible to CVE-2021-42550 relating to LogBack? 

 

> Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch ... Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Notice the linked article talks about only one of the CVE. I asked about the remaining two. Obviously the update from Dec 16 doesn't help for CVE announced on Dec 18, especially since Elastic has updated their advisory and Atlassian did not.

Like John Reynolds likes this

@Daniel Eads ping ... CVE-2021-42550 was patched in latest 7.19.2 but not LTS 7.17.x and no statement has been made.

Daniel Eads Atlassian Team Jan 06, 2022

Please see BSERV-13093 for details around the Logback version upgrade in Bitbucket Server, related to CVE-2021-42550. The upgrade for 7.17.x is slated for 7.17.5 which has not been released yet.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
7.17.4
TAGS
Community showcase
Published in Bitbucket

⭐ Calling all Bitbucket and DevOps experts: Special showcase opportunity ⭐

Hi, Bitbucket community! Are you a DevOps practitioner (or know one in your network)? Do you have DevOps tips, tricks, or learnings you'd like to share with the community? If so, we'd love to hea...

1,519 views 4 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you