Have updated to the latest Bitbucket 7.19.1 on my Windows server as per Atlassian guidance:
https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html
However the bundled ElasticSearch in this latest version still contains Log4j-core-2.11.1
I have removed the JndiLookup class file from the jar, but the vulnerability scanner im using is still finding issues:
indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager.class): log4j 2.9.0-2.11.2
indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.4-2.11.2
indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/pattern/MessagePatternConverter.class): log4j 2.10-2.11
indicator for vulnerable component found in c:\Atlassian\Bitbucket\7.19.1\elasticsearch\lib\log4j-core-2.11.1.jar (org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class): log4j 2.9.1-2.10.0
Do i need to delete the JndiManager class files too to be mitigated from all CVE's related to L4j?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.