Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,364,000
Community Members
 
Community Events
168
Community Groups

Log4j JndiManager class in Elastic Search

Have updated to the latest Bitbucket 7.19.1 on my Windows server as per Atlassian guidance:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

However the bundled ElasticSearch in this latest version still contains Log4j-core-2.11.1

I have removed the JndiLookup class file from the jar, but the vulnerability scanner im using is still finding issues:

 

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager.class): log4j 2.9.0-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.4-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/pattern/MessagePatternConverter.class): log4j 2.10-2.11


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class): log4j 2.9.1-2.10.0

 

Do i need to delete the JndiManager class files too to be mitigated from all CVE's related to L4j?

 

Thanks

 

1 answer

I'm in the same situation, removed JndiLookup.class thanks to Apache suggestion because we can't upgrade just now: https://logging.apache.org/log4j/2.x/security.html

Where is the source of information establishes that this class is vulnerable?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS

Atlassian Community Events