Details
Description
Issue
Starting with Bitbucket DC 7.8, a standalone tool, atlassian-password-cli.jar is bundled with the installation to help sysadmins encrypt their instance's database password in bitbucket.properties. This tool includes the original, unforked version of log4j 1.2.17.
Workaround
Since the tool isn't necessary for Bitbucket DC to work correctly, it can be safely removed with no adverse effects. It's worth noting that the tool may be required to decrypt and/or re-generate the password in certain cases (when using Advanced Encryption, for example)
Details
While log4j 1.2.17 poses a low threat by itself, using the Atlassian managed version of log4j further narrows the attack surface to only trusted parties.
Attachments
Issue Links
- causes
-
PS-90187 Loading...