Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13087

Remove unused log4j-core and update log4j-api to 2.16.0


      Questions about Apache Log4j 2 CVE-2021-44228

      If you have questions about Apache Log4j 2 CVE-2021-44228 please raise a support case via https://getsupport.atlassian.com

      Bitbucket Server and Data Center use Logback for logging, not log4j and thus are not vulnerable to the problem described by CVE-2021-44228. There are however some changes that should be made to eliminate any concern:

      Remove log4j-core

      Bitbucket versions 7.12 to 7.19 include the log4j-core jar. This component is unused, however it is the vulnerable software and thus its presence may cause concern. This jar file was inadvertently added during an upgrade of a dependency which it itself lists it as a dependency (it is not actually a runtime dependency of this library either).

      Update log4j-api

      Bitbucket does use the log4j-api to permit plugins to log via log4j style APIs, with the log events then being handled by Bitbucket's logging framework, slf4j and Logback. The log4j-api library is not a vulnerable component, however its relation to log4j-core may cause concern so it would be prudent to update it to a fixed version.

      IMPORTANT NOTE: Bitbucket also bundles Elasticsearch which also includes a copy of the log4j dependencies, and it actually depends on them. The above mentioned changes only apply to the Bitbucket application itself, for Elasticsearch please see https://jira.atlassian.com/browse/BSERV-13088

            Unassigned Unassigned
            behumphreys Ben Humphreys
            0 Vote for this issue
            13 Start watching this issue