You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
My IT security team keep flagging bitbucket server (well its elasticsearch service) as a threat due to the log4j vulnerability.
I upgraded to the lastest 7.19.3 which I thought from the release notes was deploying the "safe" 2.16 version but it turns out that I can still see 2.11.
Please provide a clear walk through on how to remove these files (which I believed are not used for logging by Bitbucket) and/or upgrade to 2.16.
I was just going through some FQA's pulled out from this link https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?
Neither Bitbucket Server nor Data Center use Log4j, they use Logback. The files exist to allow Log4j components to be used for the logging framework which isn't vulnerable.
We have updated our security advisory on 16 Dec 2021 to highlight that Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch which is bundled with Bitbucket. Learn more about upgrading to a fixed version and how to mitigate the vulnerability in the interim in the advisory: Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
Still referring to Bitbucket Server/Data Center, should I delete the JAR files?
No, do not delete the JAR files. While deleting the JARs won't impact core Bitbucket functionality, other apps may be impacted, including apps in the Atlassian ecosystem. The apps that use our Log4j's APIs (v1 or v2) in product actually log with Logback.
Hope this helps !!, let me know in case of any questions.
Having said these, where did you see in release notes that there was upgraded log4j ?
Hi @Vishwas N M ,
Thank you for coming back to me.
I believe the workaround
has no been discredited and should be ignored.
of removing the offending class from the *.jar file.
First time I let my IT department do it and ended up with a crippled BitBucket but I re-installed it anew and when I did it myself, it worked a treat.