Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Log4j JndiManager class in Elastic Search

Have updated to the latest Bitbucket 7.19.1 on my Windows server as per Atlassian guidance:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

However the bundled ElasticSearch in this latest version still contains Log4j-core-2.11.1

I have removed the JndiLookup class file from the jar, but the vulnerability scanner im using is still finding issues:

 

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager.class): log4j 2.9.0-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.4-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/pattern/MessagePatternConverter.class): log4j 2.10-2.11


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class): log4j 2.9.1-2.10.0

 

Do i need to delete the JndiManager class files too to be mitigated from all CVE's related to L4j?

 

Thanks

 

1 answer

0 votes

I'm in the same situation, removed JndiLookup.class thanks to Apache suggestion because we can't upgrade just now: https://logging.apache.org/log4j/2.x/security.html

Where is the source of information establishes that this class is vulnerable?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Published in Bitbucket

⭐ Calling all Bitbucket and DevOps experts: Special showcase opportunity ⭐

Hi, Bitbucket community! Are you a DevOps practitioner (or know one in your network)? Do you have DevOps tips, tricks, or learnings you'd like to share with the community? If so, we'd love to hea...

1,440 views 4 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you