Issue

Starting with Bitbucket DC 7.8, a standalone tool, atlassian-password-cli.jar is bundled with the installation to help sysadmins encrypt their instance's database password in bitbucket.properties. This tool includes the original, unforked version of log4j 1.2.17. 

Workaround

Since the tool isn't necessary for Bitbucket DC to work correctly, it can be safely removed with no adverse effects. It's worth noting that the tool may be required to decrypt and/or re-generate the password in certain cases (when using Advanced Encryption, for example)

Details

While log4j 1.2.17 poses a low threat by itself, using the Atlassian managed version of log4j further narrows the attack surface to only trusted parties.