Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Are any of the server versions of Atlassian softwares affected by CVE-2021-44228 ? (log4j security)

Edited

We are looking to see if our servers running Atlassian softwares (JIRA, Confluence, BitBucket) are affected by CVE-2021-44228

(Security issue with log4j)

When we do a search in the server app directories, sone log4j files show up as vulnerable!

 

As the server softwares vulnerable and if so, are there patches available to remedy these vulnerabilities?

 

 

/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(

2 answers

0 votes
Daniel Eads Atlassian Team Dec 15, 2021

Hi all,

Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:


Thanks,
Daniel Eads | Atlassian Support

@Yves Belanger - Here is Atlassian's response  https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-s-Response-to-Log4j-CVE-2021-44228/ba-p/1886598#M134

They also have this FAQ I would suggest reading.  "Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228."  They did identify a different issue that should still be fixed.  https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

 

I had found :

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

Which in short says "No Atlassian on-premises products are vulnerable to CVE-2021-44228"

but it contradicts what we see in the app directory for bitbucket.

/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(

It does look like JIRA and Confluence are not affected.

Brant Schroeder Community Leader Dec 14, 2021

@Yves Belanger It is interesting in all of the posts that BitBucket was not listed. Doing some further investigation it looks like it is the elasitcsearch is the issue.  You would need to patch that which might require a bitbucket update.  https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Published in Jira Software

👋 Looking for 15-20 volunteers to test Atlassian training content

Hi everyone! Are you interested in beta testing Atlassian University’s newest (unreleased!) training course? We’re looking for 15-20 volunteers to test our newest training course, Basic reporting...

815 views 24 28
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you