Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Log4j JndiManager class in Elastic Search

Alex Young December 22, 2021

Have updated to the latest Bitbucket 7.19.1 on my Windows server as per Atlassian guidance:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

However the bundled ElasticSearch in this latest version still contains Log4j-core-2.11.1

I have removed the JndiLookup class file from the jar, but the vulnerability scanner im using is still finding issues:

 

indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager.class): log4j 2.9.0-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.4-2.11.2


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/pattern/MessagePatternConverter.class): log4j 2.10-2.11


indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class): log4j 2.9.1-2.10.0

 

Do i need to delete the JndiManager class files too to be mitigated from all CVE's related to L4j?

 

Thanks

 

1 answer

0 votes
gaxelac
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 22, 2021

I'm in the same situation, removed JndiLookup.class thanks to Apache suggestion because we can't upgrade just now: https://logging.apache.org/log4j/2.x/security.html

Where is the source of information establishes that this class is vulnerable?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events