We are looking to see if our servers running Atlassian softwares (JIRA, Confluence, BitBucket) are affected by CVE-2021-44228
(Security issue with log4j)
When we do a search in the server app directories, sone log4j files show up as vulnerable!
As the server softwares vulnerable and if so, are there patches available to remedy these vulnerabilities?
/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
Hi all,
Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:
Thanks,
Daniel Eads | Atlassian Support
@Yves Belanger - Here is Atlassian's response https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-s-Response-to-Log4j-CVE-2021-44228/ba-p/1886598#M134
They also have this FAQ I would suggest reading. "Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228." They did identify a different issue that should still be fixed. https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I had found :
Which in short says "No Atlassian on-premises products are vulnerable to CVE-2021-44228"
but it contradicts what we see in the app directory for bitbucket.
/apps/atlassian/bitbucket/elasticsearch/lib/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
It does look like JIRA and Confluence are not affected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Yves Belanger It is interesting in all of the posts that BitBucket was not listed. Doing some further investigation it looks like it is the elasitcsearch is the issue. You would need to patch that which might require a bitbucket update. https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.