Have updated to the latest Bitbucket 7.19.1 on my Windows server as per Atlassian guidance:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

However the bundled ElasticSearch in this latest version still contains Log4j-core-2.11.1

I have removed the JndiLookup class file from the jar, but the vulnerability scanner im using is still finding issues:

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager.class): log4j 2.9.0-2.11.2

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.4-2.11.2

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/pattern/MessagePatternConverter.class): log4j 2.10-2.11

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class): log4j 2.9.1-2.10.0

Do i need to delete the JndiManager class files too to be mitigated from all CVE's related to L4j?

Thanks