Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Log4j jar files still showing 2.11 in BitBucket 7.19.3

Ben238
Ben238 January 21, 2022

My IT security team keep flagging bitbucket server (well its elasticsearch service) as a threat due to the log4j vulnerability.

I upgraded to the lastest 7.19.3 which I thought from the release notes was deploying the "safe" 2.16 version but it turns out that I can still see 2.11.

Please provide a clear walk through on how to remove these files (which I believed are not used for logging by Bitbucket) and/or upgrade to 2.16.

 

Answer
Watch
Like Be the first to like this
719 views

2 answers

1 accepted

0 votes
Answer accepted
Ben238
Ben238 January 24, 2022

I ended up applying the solution provided by @Radek Janata on
Log4J vulnerability (atlassian.com)

of removing the offending class from the *.jar file.

Reply
1 vote
Vishwas
Vishwas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 22, 2022

Hey @Ben238 

I was just going through some FQA's pulled out from this link https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?

Neither Bitbucket Server nor Data Center use Log4j, they use Logback. The files exist to allow Log4j components to be used for the logging framework which isn't vulnerable.

We have updated our security advisory on 16 Dec 2021 to highlight that Bitbucket Server and Data Center are vulnerable due to usage of Elasticsearch which is bundled with Bitbucket. Learn more about upgrading to a fixed version and how to mitigate the vulnerability in the interim in the advisory: Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

 

Still referring to Bitbucket Server/Data Center, should I delete the JAR files?

No, do not delete the JAR files. While deleting the JARs won't impact core Bitbucket functionality, other apps may be impacted, including apps in the Atlassian ecosystem. The apps that use our Log4j's APIs (v1 or v2) in product actually log with Logback. 

 

Hope this helps !!, let me know in case of any questions. 

Having said these, where did you see in release notes that there was upgraded log4j ?

Regards,

Vishwas

View More Comments
Ben238
Ben238 January 24, 2022

Hi @Vishwas N M ,

Thank you for coming back to me.

I believe the workaround 

-Dlog4j2.formatMsgNoLookups=true

has no been discredited and should be ignored.

I ended up applying the solution provided by @Radek Janata on
Log4J vulnerability (atlassian.com)

of removing the offending class from the *.jar file.

First time I let my IT department do it and ended up with a crippled BitBucket but I re-installed it anew and when I did it myself, it worked a treat.

Like Radek Janata likes this
Vishwas
Vishwas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 24, 2022

Hey @Ben238 

That's great !!

Thanks for sharing the solution.

Regards,

Vishwas

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
SERVER
VERSION
7.19.3
TAGS
AUG Leaders

Atlassian Community Events

    See all events