Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4216.3
Multiple Products Security Advisory - Log4j Vulnerable To
Remote Code Execution - CVE-2021-44228
3 March 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Products
Publisher: Atlassian
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2021-44228
Reference: ASB-2021.0244.5
ESB-2021.4186.3
Original Bulletin:
https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html
Comment: CVSS (Max): 10.0 CVE-2021-44228 (CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Revision History: March 3 2022: Vendor pdated the Bitbucket Server & Data Center section to note the availability of versions 7.21.0 and 6.10.17
December 20 2021: Vendor updated the advisory to include Bitbucket as vulnerable product
December 14 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
+--------------------+--------------------------------------------------------+
| Summary |CVE-2021-44228 - Log4j vulnerable to remote code |
| |execution |
+--------------------+--------------------------------------------------------+
| Advisory Release |13 Dec 2021 23:45 UTC (Coordinated Universal Time, +0 |
| Date |hours) |
+--------------------+--------------------------------------------------------+
| CVE ID |CVE-2021-44228 |
+--------------------+--------------------------------------------------------+
This advisory has been updated since the initial publication.
Changes since initial publication
02 Mar 2022 20:45 UTC (Coordinated Universal Time, +0 hours)
Updated the Bitbucket Server & Data Center section to note the availability of
versions 7.21.0 and 6.10.17.
05 Jan 2022 15:30 UTC (Coordinated Universal Time, +0 hours)
Updated "Impact on Apps from Atlassian's Marketplace" to contain additional
information about our analysis of apps for our Data Center & Server products
distributed via the Atlassian Marketplace.
04 Jan 2022 04:00 UTC (Coordinated Universal Time, +0 hours)
Some versions of Bitbucket now support usage with external Elasticsearch
instances patched against CVE-2021-44228.
The "Actions" column under "External version of Elasticsearch" have been
updated to reflect this change and provide additional guidance on upgrading
Elasticsearch.
Read the "Impact on Self-Managed Products" section for more information.
16 Dec 2021 03:30 UTC (Coordinated Universal Time, +0 hours)
Since publishing this advisory, Atlassian has learned:
o Prerequisite software, Elasticsearch, used by Bitbucket Server & Data
Center may be vulnerable to CVE-2021-44228
o Some Bitbucket versions included an unused log4j-core component which has
been removed in the latest update.
Read the "Impact On Self-Managed Products" section below to determine if you
are affected, and how to protect affected installations.
Summary of Vulnerability
Multiple Atlassian products use the third-party Log4j library, which is
vulnerable to CVE-2021-44228:
Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI
related endpoints. An attacker who can control log messages or log message
parameters can execute arbitrary code loaded from LDAP servers when message
lookup substitution is enabled
Impact on Cloud Products
This vulnerability has been mitigated for all Atlassian cloud products
previously using vulnerable versions of Log4j. To date, our analysis has not
identified compromise of Atlassian systems or customer data prior to the
patching of these systems. Atlassian customers are not vulnerable, and no
action is required.
Impact on Self-Managed Products
Bitbucket Server & Data Center
Bitbucket Server & Data Center are vulnerable to CVE-2021-44228 via bundled,
prerequisite software - Elasticsearch. Per Elastic security advisory
ESA-2021-31, Elasticsearch is not affected by Remote Code Execution, though
information leakage is a potential impact. Refer to the table below to
determine if action is required to mitigate the risk of information leakage:
+-------------+---------------------------------+-----------------------------+
| Version | Vulnerability Criteria | Actions |
+-------------+---------------------------------+-----------------------------+
| | |Option 1: Upgrade Bitbucket |
| | |to a version that bundles a |
| | |non-vulnerable search engine |
| | | |
| | | Upgrade Bitbucket |
| | | |
| | | o Upgrade to Bitbucket |
| | | 7.21.0 (or later) which |
| | | bundles Opensearch 1.2.4 |
| | | (as noted in the release |
| | | notes, this will result |
| | | in a full search |
| | | re-index); or |
| | | o Upgrade to Bitbucket |
| | | 6.10.17 (or any later |
| |Any Bitbucket versions released | 6.10.x version) which |
| |prior to 15 Dec 2021: | bundles Elasticsearch |
| | | 6.8.22 |
| | o All versions < 6.10.16 | |
| | | |
| | o 7.x < 7.6.12 |Option 2: Mitigation via |
| | |system property |
|Bundled | o Versions >= 7.7.0 and < | |
|Version of | 7.14.2 | Mitigation |
|Elasticsearch| | |
| | o 7.15.x < 7.15.3 |For Linux / MacOS: |
|[(i.e. if you| | |
|have ][not][ | o 7.16.x < 7.16.3 | o We are unable to release |
|set up a | | an updated version of the|
|separate | o 7.17.x < 7.17.4 | bundled Elasticsearch |
|instance of | | version due to licensing |
|Elasticsearch| o 7.18.x < 7.18.3 | changes for Elasticsearch|
|yourself)] | | versions later than 7.10 |
| | o 7.19 | |
| | | o Instead, we have released|
| |As per Elastic security advisory | updated versions |
| |ESA-2021-31, remote code | (described below) of |
| |execution is mitigated, however | Bitbucket which apply the|
| |an information leakage may still | log4j2.formatMsgNoLookups|
| |apply. | =true flag mitigation |
| | | |
| | | o If a customer can't |
| | | update Bitbucket, they |
| | | should apply the |
| | | log4j2.formatMsgNoLookups|
| | | =true flag manually (see |
| | | below for instructions) |
| | | |
| | |For Windows: |
| | | |
| | | o Customers should apply |
| | | the |
| | | log4j2.formatMsgNoLookups|
| | | =true flag manually (see |
| | | below for instructions) |
+-------------+---------------------------------+-----------------------------+
| | |We advise customers to follow|
| | |guidance from Elastic in |
| | |security advisory ESA-2021-31|
| | |to secure Elasticsearch |
| | |deployments. However, we |
| | |note: |
| |The version of Elasticsearch | |
| |bundled with Bitbucket should not| o Before upgrading |
| |be used when running in a | Elasticsearch, ensure |
| |clustered configuration. Data | that the new version is |
| |Center cluster customers must | supported by your version|
|External |install and manage their own | of Bitbucket. Supported |
|version of |Elasticsearch installations | versions of Elasticsearch|
|Elasticsearch|separately from Bitbucket Data | can be found on the |
| |Center. Customers using the Data | Supported Platforms page |
| |Center edition should consult | for your version of |
| |Elastic security advisory | Bitbucket |
| |ESA-2021-31 to determine if any | o If your version of |
| |action is required to mitigate | Bitbucket does not |
| |CVE-2021-44228. | support the fixed version|
| | | of Elasticsearch, we |
| | | recommend customers apply|
| | | the alternative |
| | | mitigations as described |
| | | in Elastic security |
| | | advisory ESA-2021-31 |
+-------------+---------------------------------+-----------------------------+
Bitbucket Server & Data Center Security Fixes
To remediate CVE-2021-44228 on Bitbucket Server & Data Center, upgrade to a
non-vulnerable version:
o 6.10.16
o 7.6.12
o 7.14.2
o 7.15.3
o 7.16.3
o 7.17.4
o 7.18.3
o 7.19.1
o 7.21.0
Find the versions above on our downloads page and use the steps outlined in the
Bitbucket Server upgrade guide to complete the upgrade.
Bundled Version - Manual Mitigation
If you are unable to install an updated version of Bitbucket and are running
the bundled Elasticsearch, make the following change as per Elastic security
advisory ESA-2021-31:
The simplest remediation is to set the JVM option
-Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster.
For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection
against the RCE and information leak attacks.
Restart Bitbucket after adding the following line to the bottom of the file
$BITBUCKET_HOME/shared/search/jvm.options
- -Dlog4j2.formatMsgNoLookups=true
Unused log4j-core present in some Bitbucket versions
Bitbucket versions 7.12 to 7.19 included an unused log4j-core component. While
this doesn't present a risk as Bitbucket uses Logback, not Log4j, for logging
an update has been provided to remove Log4j component for avoidance of doubt.
All Other Self-Managed Products
No other Atlassian self-managed products are vulnerable to CVE-2021-44228.
Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17,
which is not vulnerable to CVE-2021-44228. We have done additional analysis on
this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that
can only be exploited by a trusted party. For that reason, Atlassian rates the
severity level for all other self-managed products as low. Specifically,
Atlassian products that use Log4j 1.x are only affected if all of the following
non-default configurations are in place:
o The JMS Appender is configured in the application's Log4j configuration
o The javax.jms API is included in the application's CLASSPATH
o The JMS Appender has been configured with a JNDI lookup to a third party.
Note: this can only be done by a trusted user modifying the application's
configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
o Bamboo Server and Data Center (including Bamboo Agents)
o Confluence Server and Data Center
o Crowd Server and Data Center
o Fisheye / Crucible
o Jira Service Management Server and Data Center
o Jira Software Server and Data Center (including Jira Core)
Impact on Apps from Atlassian Marketplace
CLOUD APPS
The tools Atlassian shares with partners to develop apps, such as Connect and
Forge, are not vulnerable to CVE-2021-44228. Additionally, there are no cloud
apps developed by Atlassian that are vulnerable. Atlassian continues to
actively scan third-party cloud apps on our marketplace to determine if they
are vulnerable. So far, we have identified a handful of apps that are
vulnerable. We will run more scans and checks over the next few days to
continuously monitor the situation and to ensure that there are no gaps in our
review.
Given the severity of this situation, each vulnerable app must promptly address
the issue as soon as it's discovered. Atlassian will pause apps that do not
address the issue, and inform customers who have vulnerable apps installed.
DATA CENTER AND SERVER APPS
Atlassian confirmed that no Atlassian-developed apps are vulnerable to
CVE-2021-44228. Additionally, Atlassian scanned 3rd party apps in our
Marketplace to determine if they were vulnerable to CVE-2021-44228. A few
third-party apps were found to be vulnerable and in most cases, these
vulnerabilities have been addressed. There were two cases in which app vendors
did not address the vulnerability within the expedited deadline provided. Users
of these apps have been informed and the apps have been hidden from the
Atlassian Marketplace.
Note: Apps that are not listed on the Atlassian Marketplace (apps installed
from other 3rd party sites, for example) are not actively scanned or reviewed
by Atlassian. Reach out to the vendor directly if you have concerns about the
security of those apps.
References
o Apache Log4j Security Vulnerabilities
o CVE-2021-44228
o Elastic security advisory ESA-2021-31
o BSERV-13087 - Getting issue details... STATUS
o BSERV-13088 - Getting issue details... STATUS
Support
If you have questions or concerns regarding this advisory, check our Frequently
asked questions for CVE-2021-44228, or raise a support request at https://
support.atlassian.com/.
Last modified on Mar 2, 2022
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYiAwTONLKJtyKPYoAQgOtA//cISek/KAYW7gF6YlEVBjfMMd6sF09Ox6
/cfw0k+oswPj3PuPY51+s0ySrCklY/cNkgwcybm4MPml4dYYm4+C7rRIRja2HWcZ
EePbovximG5aMlwY7vSaUhqvbuUiJcYS9g2t7/mXAuKGbyUY88s8HN2bm+jJJag0
EGcFCjXjDr04nS6ScMQrv/95bctIZM5v92Moo7lfsOamM/S1s/oVehWZNfuPgNrF
nn1xLe4EldlAm1tVYWsf7Lw54SyZqyQ9U0ZYgj8r5IjxahnI4ZsT9DaBZFxFVLq/
WS0z4AWbavQoZabSZ3yVRvdXlXozzFHevxFjIxvcaNBNyEeO5AKIEMVLLNiIEEW+
xXmUyjfdtM01AN5dRT5uFKQg3We9x5/7qUtg1EGJ8iJ+gB58sDue/jELSWTZUoiL
99c+572X8XpHGmVI6LKlKcqwjCO3ApcEwGg6/NC9N1lCiTD9ACzL3rKZB/3LnI6q
qI4KknH5J/RpzHMQImbs/UDnT9mammNGgYGbbgLrSxqU2mXG7tnNpu92rIVEH6Tn
86PPSmj/lz/opauggqKtdE/ALhK8MXkEY5Z16Z9YDsyzApUTOtxh+6jkAXxb48js
HhU0PRnMWxrARB+1Ct1+4SghTc4wZb/kzudO+Qy19Hd3bTNndeLiOAxaWw8wC+h0
JAe30g1Txz0=
=kBh5
-----END PGP SIGNATURE-----