Details
-
Bug
-
Resolution: Fixed
-
Low
-
6.10.0
-
None
-
Severity 3 - Minor
-
Description
If you have questions about Apache Log4j 2 CVE-2021-44228 please raise a support case via https://getsupport.atlassian.com
Bitbucket Server and Data Center use Logback for logging, not log4j and thus are not vulnerable to the problem described by CVE-2021-44228. There are however some changes that should be made to eliminate any concern:
Remove log4j-core
Bitbucket versions 7.12 to 7.19 include the log4j-core jar. This component is unused, however it is the vulnerable software and thus its presence may cause concern. This jar file was inadvertently added during an upgrade of a dependency which it itself lists it as a dependency (it is not actually a runtime dependency of this library either).
Update log4j-api
Bitbucket does use the log4j-api to permit plugins to log via log4j style APIs, with the log events then being handled by Bitbucket's logging framework, slf4j and Logback. The log4j-api library is not a vulnerable component, however its relation to log4j-core may cause concern so it would be prudent to update it to a fixed version.
IMPORTANT NOTE: Bitbucket also bundles Elasticsearch which also includes a copy of the log4j dependencies, and it actually depends on them. The above mentioned changes only apply to the Bitbucket application itself, for Elasticsearch please see https://jira.atlassian.com/browse/BSERV-13088