Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,036
Community Members
 
Community Events
176
Community Groups

Log4j jar files still showing 2.11 in BitBucket 7.19.3

Edited

My IT security team keep flagging bitbucket server (well its elasticsearch service) as a threat due to the log4j vulnerability.

I upgraded to the lastest 7.19.3 which I thought from the release notes was deploying the "safe" 2.16 version but it turns out that I can still see 2.11.

Please provide a clear walk through on how to remove these files (which I believed are not used for logging by Bitbucket) and/or upgrade to 2.16.

 

2 answers

1 accepted

0 votes
Answer accepted

I ended up applying the solution provided by @Radek Janata on
Log4J vulnerability (atlassian.com)

of removing the offending class from the *.jar file.

1 vote
Vishwas Rising Star Jan 22, 2022

Hey @Ben238 

I was just going through some FQA's pulled out from this link https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?

Neither Bitbucket Server nor Data Center use Log4j, they use Logback. The files exist to allow Log4j components to be used for the logging framework which isn't vulnerable.

We have updated our security advisory on 16 Dec 2021 to highlight that Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch which is bundled with Bitbucket. Learn more about upgrading to a fixed version and how to mitigate the vulnerability in the interim in the advisory: Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

 

Still referring to Bitbucket Server/Data Center, should I delete the JAR files?

No, do not delete the JAR files. While deleting the JARs won't impact core Bitbucket functionality, other apps may be impacted, including apps in the Atlassian ecosystem. The apps that use our Log4j's APIs (v1 or v2) in product actually log with Logback. 

 

Hope this helps !!, let me know in case of any questions. 

Having said these, where did you see in release notes that there was upgraded log4j ?

Regards,

Vishwas

Hi @Vishwas N M ,

Thank you for coming back to me.

I believe the workaround 

-Dlog4j2.formatMsgNoLookups=true

has no been discredited and should be ignored.

I ended up applying the solution provided by @Radek Janata on
Log4J vulnerability (atlassian.com)

of removing the offending class from the *.jar file.

First time I let my IT department do it and ended up with a crippled BitBucket but I re-installed it anew and when I did it myself, it worked a treat.

Like Radek Janata likes this
Vishwas Rising Star Jan 24, 2022

Hey @Ben238 

That's great !!

Thanks for sharing the solution.

Regards,

Vishwas

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
7.19.3
TAGS

Atlassian Community Events