Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13108

atlassian-password-cli tool doesn't use Atlassian's fork of log4j 1.2.17

    XMLWordPrintable

Details

    Description

      Issue

      Starting with Bitbucket DC 7.8, a standalone tool, atlassian-password-cli.jar is bundled with the installation to help sysadmins encrypt their instance's database password in bitbucket.properties. This tool includes the original, unforked version of log4j 1.2.17. 

      Workaround

      Since the tool isn't necessary for Bitbucket DC to work correctly, it can be safely removed with no adverse effects. It's worth noting that the tool may be required to decrypt and/or re-generate the password in certain cases (when using Advanced Encryption, for example)

      Details

      While log4j 1.2.17 poses a low threat by itself, using the Atlassian managed version of log4j further narrows the attack surface to only trusted parties.  

      Attachments

        Issue Links

          Activity

            People

              csubraveti Chandravadan
              csubraveti Chandravadan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: