Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Are any of the server versions of Atlassian softwares affected by CVE-2021-44228 ? (log4j security)

Yves Belanger
Yves Belanger December 14, 2021

We are looking to see if our servers running Atlassian softwares (JIRA, Confluence, BitBucket) are affected by CVE-2021-44228

(Security issue with log4j)

When we do a search in the server app directories, sone log4j files show up as vulnerable!

 

As the server softwares vulnerable and if so, are there patches available to remedy these vulnerabilities?

 

 

/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(

Answer
Watch
Like Be the first to like this
474 views

2 answers

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2021

Hi all,

Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:


Thanks,
Daniel Eads | Atlassian Support

Reply
0 votes
Brant Schroeder
Brant Schroeder
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 14, 2021

@Yves Belanger - Here is Atlassian's response  https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-s-Response-to-Log4j-CVE-2021-44228/ba-p/1886598#M134

They also have this FAQ I would suggest reading.  "Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228."  They did identify a different issue that should still be fixed.  https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

 

View More Comments
Yves Belanger
Yves Belanger December 14, 2021

I had found :

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

Which in short says "No Atlassian on-premises products are vulnerable to CVE-2021-44228"

but it contradicts what we see in the app directory for bitbucket.

/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(

It does look like JIRA and Confluence are not affected.

Like
Brant Schroeder
Brant Schroeder
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 14, 2021

@Yves Belanger It is interesting in all of the posts that BitBucket was not listed. Doing some further investigation it looks like it is the elasitcsearch is the issue.  You would need to patch that which might require a bitbucket update.  https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events