Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Summary

CVE-2021-44228 - Log4j vulnerable to remote code execution

Advisory Release Date

 23:45 UTC (Coordinated Universal Time, +0 hours)

CVE ID

CVE-2021-44228

This advisory has been updated since the initial publication.

Changes since initial publication

15:30 UTC (Coordinated Universal Time, +0 hours)

Updated "Impact on Apps from Atlassian's Marketplace" to contain additional information about our analysis of apps for our Data Center & Server products distributed via the Atlassian Marketplace.

04:00 UTC (Coordinated Universal Time, +0 hours)

Some versions of Bitbucket now support usage with external Elasticsearch instances patched against CVE-2021-44228.

The "Actions" column under "External version of Elasticsearch" have been updated to reflect this change and provide additional guidance on upgrading Elasticsearch.

Read the "Impact on Self-Managed Products" section for more information.

 03:30 UTC (Coordinated Universal Time, +0 hours)

Since publishing this advisory, Atlassian has learned:

  • Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228

  • Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.

Read the “Impact On Self-Managed Products” section below to determine if you are affected, and how to protect affected installations.

Summary of Vulnerability

Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228:

Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Impact on Cloud Products

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.

Impact on Self-Managed Products

Bitbucket Server & Data Center

Bitbucket Server & Data Center are vulnerable to CVE-2021-44228 via bundled, prerequisite software - Elasticsearch. Per Elastic security advisory ESA-2021-31, Elasticsearch is not affected by Remote Code Execution, though information leakage is a potential impact. Refer to the table below to determine if action is required to mitigate the risk of information leakage:

Version

Vulnerability Criteria

Actions

Bundled Version of Elasticsearch

(i.e. if you have not set up a separate instance of Elasticsearch yourself)

Any Bitbucket versions released prior to :

  • All versions < 6.10.16

  • 7.x < 7.6.12

  • Versions >= 7.7.0 and < 7.14.2

  • 7.15.x < 7.15.3

  • 7.16.x < 7.16.3

  • 7.17.x < 7.17.4

  • 7.18.x < 7.18.3

  • 7.19

As per Elastic security advisory ESA-2021-31, remote code execution is mitigated, however an information leakage may still apply.

For Linux / MacOS:

  • We are unable to release an updated version of the bundled Elasticsearch version due to licensing changes for Elasticsearch versions later than 7.10

  • Instead, we have released updated versions (described below) of Bitbucket which apply the log4j2.formatMsgNoLookups=true flag mitigation

  • If a customer can't update Bitbucket, they should apply the log4j2.formatMsgNoLookups=true flag manually (see below for instructions)

For Windows:

  • Customers should apply the log4j2.formatMsgNoLookups=true flag manually (see below for instructions)

External version of Elasticsearch

The version of Elasticsearch bundled with Bitbucket should not be used when running in a clustered configuration. Data Center cluster customers must install and manage their own Elasticsearch installations separately from Bitbucket Data Center. Customers using the Data Center edition should consult Elastic security advisory ESA-2021-31 to determine if any action is required to mitigate CVE-2021-44228.

We advise customers to follow guidance from Elastic in security advisory ESA-2021-31 to secure Elasticsearch deployments. However, we note:

  • Before upgrading Elasticsearch, ensure that the new version is supported by your version of Bitbucket. Supported versions of Elasticsearch can be found on the Supported Platforms page for your version of Bitbucket
  • If your version of Bitbucket does not support the fixed version of Elasticsearch, we recommend customers apply the alternative mitigations as described in Elastic security advisory ESA-2021-31


Bitbucket Server & Data Center Security Fixes

To remediate CVE-2021-44228 on Bitbucket Server & Data Center, upgrade to a non-vulnerable version:

  • 6.10.16

  • 7.6.12

  • 7.14.2

  • 7.15.3

  • 7.16.3

  • 7.17.4

  • 7.18.3

  • 7.19.1

Find the versions above on our downloads page and use the steps outlined in the Bitbucket Server upgrade guide to complete the upgrade.

Bundled Version - Manual Mitigation

If you are unable to install an updated version of Bitbucket and are running the bundled Elasticsearch, make the following change as per Elastic security advisory ESA-2021-31:

The simplest remediation is to set the JVM option -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster.
For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection against the RCE and information leak attacks.

Restart Bitbucket after adding the following line to the bottom of the file $BITBUCKET_HOME/shared/search/jvm.options

-Dlog4j2.formatMsgNoLookups=true

Unused log4j-core present in some Bitbucket versions

Bitbucket versions 7.12 to 7.19 included an unused log4j-core component. While this doesn’t present a risk as Bitbucket uses Logback, not Log4j, for logging an update has been provided to remove Log4j component for avoidance of doubt.

All Other Self-Managed Products

No other Atlassian self-managed products are vulnerable to CVE-2021-44228.

Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration

  • The javax.jms API is included in the application's CLASSPATH

  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center (including Bamboo Agents)

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye / Crucible

  • Jira Service Management Server and Data Center

  • Jira Software Server and Data Center (including Jira Core)

Impact on Apps from Atlassian Marketplace

CLOUD APPS

The tools Atlassian shares with partners to develop apps, such as Connect and Forge, are not vulnerable to CVE-2021-44228. Additionally, there are no cloud apps developed by Atlassian that are vulnerable. Atlassian continues to actively scan third-party cloud apps on our marketplace to determine if they are vulnerable. So far, we have identified a handful of apps that are vulnerable. We will run more scans and checks over the next few days to continuously monitor the situation and to ensure that there are no gaps in our review.

Given the severity of this situation, each vulnerable app must promptly address the issue as soon as it's discovered. Atlassian will pause apps that do not address the issue, and inform customers who have vulnerable apps installed.

DATA CENTER AND SERVER APPS

Atlassian confirmed that no Atlassian-developed apps are vulnerable to CVE-2021-44228. Additionally, Atlassian scanned 3rd party apps in our Marketplace to determine if they were vulnerable to CVE-2021-44228. A few third-party apps were found to be vulnerable and in most cases, these vulnerabilities have been addressed. There were two cases in which app vendors did not address the vulnerability within the expedited deadline provided. Users of these apps have been informed and the apps have been hidden from the Atlassian Marketplace.

Note: Apps that are not listed on the Atlassian Marketplace (apps installed from other 3rd party sites, for example) are not actively scanned or reviewed by Atlassian. Reach out to the vendor directly if you have concerns about the security of those apps.

References

Support

If you have questions or concerns regarding this advisory, check our Frequently asked questions for CVE-2021-44228, or raise a support request at https://support.atlassian.com/.

Last modified on Jan 5, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.