Issue Summary

In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9.

Please note: There is no RCE in Logback, and there is no vulnerability in Bitbucket Server or Logback's default configurations. There is also no mechanism whereby a malicious client can attack the system. Exercising CVE-2021-42550 requires write access to Bitbucket Server's Logback configuration.

Workaround

Manually audit logging configuration and ensure proper permissions.