Log4J vulnerability - Bamboo

Hi all,

Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:

• https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html 

Thanks,
Daniel Eads | Atlassian Support 

@Alexey Chystoprudov @Daniel Eads 

Me to getting the below results in Bitbucket Server 7.16.0v:

/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-api-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-core-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-over-slf4j-1.7.25.jar
/opt/atlassian/bitbucket/7.16.0/app/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-api-2.11.1.jar
/opt/atlassian/bitbucket/7.16.0/elasticsearch/lib/log4j-core-2.11.1.jar

is my device effected?

shall keep or remove the log4j-api-2.14.1.jar file from bitbucket. 

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

• https://confluence.atlassian.com/display/SECURITY/Multiple+Products+Security+Advisory+-+Log4j+Vulnerable+To+Remote+Code+Execution+-+CVE-2021-44228
• https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

Thanks,
Daniel Eads | Atlassian Support

If you don't use JMSAppender your device is not affected according to our knowledge about this attack vector for now. In case of any changes or new vectors identified page  https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html will be updated