Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.20.0, 6.10.17, 7.6.13, 7.19.2, 7.17.5
Affects Version/s: 6.10.0
Component/s: Architecture
Labels:

Fixed in Long Term Support Release/s:

Download 6.10
Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9.

Please note: There is no RCE in Logback, and there is no vulnerability in Bitbucket Server or Logback's default configurations. There is also no mechanism whereby a malicious client can attack the system. Exercising CVE-2021-42550 requires write access to Bitbucket Server's Logback configuration.

Workaround

Manually audit logging configuration and ensure proper permissions.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(5 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Bryan Turner (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 17/Dec/2021 7:03 PM

Updated:: 16/Aug/2022 7:33 PM

Resolved:: 22/Dec/2021 5:48 AM