Bitbucket Server and Data Center use Logback for logging, not log4j and thus are not vulnerable to the problem described by CVE-2021-44228. There are however some changes that should be made to eliminate any concern:

Remove log4j-core

Bitbucket versions 7.12 to 7.19 include the log4j-core jar. This component is unused, however it is the vulnerable software and thus its presence may cause concern. This jar file was inadvertently added during an upgrade of a dependency which it itself lists it as a dependency (it is not actually a runtime dependency of this library either).

Update log4j-api

Bitbucket does use the log4j-api to permit plugins to log via log4j style APIs, with the log events then being handled by Bitbucket's logging framework, slf4j and Logback. The log4j-api library is not a vulnerable component, however its relation to log4j-core may cause concern so it would be prudent to update it to a fixed version.

IMPORTANT NOTE: Bitbucket also bundles Elasticsearch which also includes a copy of the log4j dependencies, and it actually depends on them. The above mentioned changes only apply to the Bitbucket application itself, for Elasticsearch please see https://jira.atlassian.com/browse/BSERV-13088