Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13093

Upgrade Logback for CVE-2021-42550

    XMLWordPrintable

Details

    Description

      Issue Summary

      In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9.

      Please note: There is no RCE in Logback, and there is no vulnerability in Bitbucket Server or Logback's default configurations. There is also no mechanism whereby a malicious client can attack the system. Exercising CVE-2021-42550 requires write access to Bitbucket Server's Logback configuration.

      Workaround

      Manually audit logging configuration and ensure proper permissions.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              bturner Bryan Turner (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: