Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
CVE-2021-44228 - Log4j vulnerable to remote code execution
Advisory Release Date
23:45 UTC (Coordinated Universal Time, +0 hours)
This advisory has been updated since the initial publication.
20:45 UTC (Coordinated Universal Time, +0 hours)
Updated the Bitbucket Server & Data Center section to note the availability of versions 7.21.0 and 6.10.17.
15:30 UTC (Coordinated Universal Time, +0 hours)
Updated "Impact on Apps from Atlassian's Marketplace" to contain additional information about our analysis of apps for our Data Center & Server products distributed via the Atlassian Marketplace.
04:00 UTC (Coordinated Universal Time, +0 hours)
Some versions of Bitbucket now support usage with external Elasticsearch instances patched against CVE-2021-44228.
The "Actions" column under "External version of Elasticsearch" have been updated to reflect this change and provide additional guidance on upgrading Elasticsearch.
Read the "Impact on Self-Managed Products" section for more information.
03:30 UTC (Coordinated Universal Time, +0 hours)
Since publishing this advisory, Atlassian has learned:
Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228
Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
Read the “Impact On Self-Managed Products” section below to determine if you are affected, and how to protect affected installations.
Summary of Vulnerability
Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228:
Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Impact on Cloud Products
This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.
Impact on Self-Managed Products
Bitbucket Server & Data Center
Bitbucket Server & Data Center are vulnerable to CVE-2021-44228 via bundled, prerequisite software - Elasticsearch. Per Elastic security advisory ESA-2021-31, Elasticsearch is not affected by Remote Code Execution, though information leakage is a potential impact. Refer to the table below to determine if action is required to mitigate the risk of information leakage:
Bundled Version of Elasticsearch
(i.e. if you have not set up a separate instance of Elasticsearch yourself)
Any Bitbucket versions released prior to :
As per Elastic security advisory ESA-2021-31, remote code execution is mitigated, however an information leakage may still apply.
Option 1: Upgrade Bitbucket to a version that bundles a non-vulnerable search engine
Option 2: Mitigation via system property
For Linux / MacOS:
External version of Elasticsearch
The version of Elasticsearch bundled with Bitbucket should not be used when running in a clustered configuration. Data Center cluster customers must install and manage their own Elasticsearch installations separately from Bitbucket Data Center. Customers using the Data Center edition should consult Elastic security advisory ESA-2021-31 to determine if any action is required to mitigate CVE-2021-44228.
We advise customers to follow guidance from Elastic in security advisory ESA-2021-31 to secure Elasticsearch deployments. However, we note:
Bitbucket Server & Data Center Security Fixes
To remediate CVE-2021-44228 on Bitbucket Server & Data Center, upgrade to a non-vulnerable version:
Bundled Version - Manual Mitigation
If you are unable to install an updated version of Bitbucket and are running the bundled Elasticsearch, make the following change as per Elastic security advisory ESA-2021-31:
The simplest remediation is to set the JVM option -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster.
For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection against the RCE and information leak attacks.
Restart Bitbucket after adding the following line to the bottom of the file
Unused log4j-core present in some Bitbucket versions
Bitbucket versions 7.12 to 7.19 included an unused log4j-core component. While this doesn’t present a risk as Bitbucket uses Logback, not Log4j, for logging an update has been provided to remove Log4j component for avoidance of doubt.
All Other Self-Managed Products
No other Atlassian self-managed products are vulnerable to CVE-2021-44228.
Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration
javax.jmsAPI is included in the application's
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center (including Bamboo Agents)
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Service Management Server and Data Center
Jira Software Server and Data Center (including Jira Core)
Impact on Apps from Atlassian Marketplace
The tools Atlassian shares with partners to develop apps, such as Connect and Forge, are not vulnerable to CVE-2021-44228. Additionally, there are no cloud apps developed by Atlassian that are vulnerable. Atlassian continues to actively scan third-party cloud apps on our marketplace to determine if they are vulnerable. So far, we have identified a handful of apps that are vulnerable. We will run more scans and checks over the next few days to continuously monitor the situation and to ensure that there are no gaps in our review.
Given the severity of this situation, each vulnerable app must promptly address the issue as soon as it's discovered. Atlassian will pause apps that do not address the issue, and inform customers who have vulnerable apps installed.
DATA CENTER AND SERVER APPS
Atlassian confirmed that no Atlassian-developed apps are vulnerable to CVE-2021-44228. Additionally, Atlassian scanned 3rd party apps in our Marketplace to determine if they were vulnerable to CVE-2021-44228. A few third-party apps were found to be vulnerable and in most cases, these vulnerabilities have been addressed. There were two cases in which app vendors did not address the vulnerability within the expedited deadline provided. Users of these apps have been informed and the apps have been hidden from the Atlassian Marketplace.
Note: Apps that are not listed on the Atlassian Marketplace (apps installed from other 3rd party sites, for example) are not actively scanned or reviewed by Atlassian. Reach out to the vendor directly if you have concerns about the security of those apps.
- Apache Log4j Security Vulnerabilities
- Elastic security advisory ESA-2021-31
- - BSERV-13087Getting issue details... STATUS
- - BSERV-13088Getting issue details... STATUS