Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13088

Set -Dlog4j2.formatMsgNoLookups=true on bundled Elasticsearch

    XMLWordPrintable

Details

    Description

      Questions about Apache Log4j 2 CVE-2021-44228

      If you have questions about Apache Log4j 2 CVE-2021-44228 please raise a support case via https://getsupport.atlassian.com
      For more information about CVE-2021-44228 see the security advisory Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

      IMPORTANT NOTES
      • This patch is only effective for the Linux and MacOS operating system. If you are hosting Bitbucket on Windows the below described mitigation (i.e. jvm.options updates) should be applied manually and the Elasticsearch service should be restarted.
      • This patch only effects the bundled Elasticsearch. If you are running a separate Elasticsearch instance (for example because Bitbucket is running in a multi-node cluster), you should consult Elastic security advisory ESA-2021-31 to determine if any action is required to mitigate CVE-2021-44228

      Bitbucket Server and Data Center include a bundled Elasticsearch, this may or not be used depending on how Bitbucket is configured. Specifically:

      • By default Bitbucket will start the bundled Elasticsearch
      • If Bitbucket is started with the --no-search parameter then the bundled Elasticsearch is not started. This is common for Bitbucket clusters, where an external Elasticsearch must be used, one that is used by all nodes of the cluster.

      The vendor has made the following announcement regarding CVE-2021-44228: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

      Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch running on JDK8 or below is susceptible to an information leak via DNS which is fixable by the JVM option identified below.

      More details are supplied in that document in the section "Details on Elasticsearch information leakage".

      The mitigation for the above mentioned information leak involves passing -Dlog4j2.formatMsgNoLookups=true to the JVM that runs Elasticsearch. This should be applied to the startup scripts Bitbucket ships.

      If you are unable to install an updated version of Bitbucket Server, make the following change to the Elasticsearch JVM options file then restart Bitbucket Server:

      Add the following line to the bottom of the file $BITBUCKET_HOME/shared/search/jvm.options

      -Dlog4j2.formatMsgNoLookups=true
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              behumphreys Ben Humphreys
              Votes:
              0 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: