Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4216.3 Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 3 March 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Products Publisher: Atlassian Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2021-44228 Reference: ASB-2021.0244.5 ESB-2021.4186.3 Original Bulletin: https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html Comment: CVSS (Max): 10.0 CVE-2021-44228 (CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSSv3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Revision History: March 3 2022: Vendor pdated the Bitbucket Server & Data Center section to note the availability of versions 7.21.0 and 6.10.17 December 20 2021: Vendor updated the advisory to include Bitbucket as vulnerable product December 14 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- +--------------------+--------------------------------------------------------+ | Summary |CVE-2021-44228 - Log4j vulnerable to remote code | | |execution | +--------------------+--------------------------------------------------------+ | Advisory Release |13 Dec 2021 23:45 UTC (Coordinated Universal Time, +0 | | Date |hours) | +--------------------+--------------------------------------------------------+ | CVE ID |CVE-2021-44228 | +--------------------+--------------------------------------------------------+ This advisory has been updated since the initial publication. Changes since initial publication 02 Mar 2022 20:45 UTC (Coordinated Universal Time, +0 hours) Updated the Bitbucket Server & Data Center section to note the availability of versions 7.21.0 and 6.10.17. 05 Jan 2022 15:30 UTC (Coordinated Universal Time, +0 hours) Updated "Impact on Apps from Atlassian's Marketplace" to contain additional information about our analysis of apps for our Data Center & Server products distributed via the Atlassian Marketplace. 04 Jan 2022 04:00 UTC (Coordinated Universal Time, +0 hours) Some versions of Bitbucket now support usage with external Elasticsearch instances patched against CVE-2021-44228. The "Actions" column under "External version of Elasticsearch" have been updated to reflect this change and provide additional guidance on upgrading Elasticsearch. Read the "Impact on Self-Managed Products" section for more information. 16 Dec 2021 03:30 UTC (Coordinated Universal Time, +0 hours) Since publishing this advisory, Atlassian has learned: o Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228 o Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update. Read the "Impact On Self-Managed Products" section below to determine if you are affected, and how to protect affected installations. Summary of Vulnerability Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228: Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled Impact on Cloud Products This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required. Impact on Self-Managed Products Bitbucket Server & Data Center Bitbucket Server & Data Center are vulnerable to CVE-2021-44228 via bundled, prerequisite software - Elasticsearch. Per Elastic security advisory ESA-2021-31, Elasticsearch is not affected by Remote Code Execution, though information leakage is a potential impact. Refer to the table below to determine if action is required to mitigate the risk of information leakage: +-------------+---------------------------------+-----------------------------+ | Version | Vulnerability Criteria | Actions | +-------------+---------------------------------+-----------------------------+ | | |Option 1: Upgrade Bitbucket | | | |to a version that bundles a | | | |non-vulnerable search engine | | | | | | | | Upgrade Bitbucket | | | | | | | | o Upgrade to Bitbucket | | | | 7.21.0 (or later) which | | | | bundles Opensearch 1.2.4 | | | | (as noted in the release | | | | notes, this will result | | | | in a full search | | | | re-index); or | | | | o Upgrade to Bitbucket | | | | 6.10.17 (or any later | | |Any Bitbucket versions released | 6.10.x version) which | | |prior to 15 Dec 2021: | bundles Elasticsearch | | | | 6.8.22 | | | o All versions < 6.10.16 | | | | | | | | o 7.x < 7.6.12 |Option 2: Mitigation via | | | |system property | |Bundled | o Versions >= 7.7.0 and < | | |Version of | 7.14.2 | Mitigation | |Elasticsearch| | | | | o 7.15.x < 7.15.3 |For Linux / MacOS: | |[(i.e. if you| | | |have ][not][ | o 7.16.x < 7.16.3 | o We are unable to release | |set up a | | an updated version of the| |separate | o 7.17.x < 7.17.4 | bundled Elasticsearch | |instance of | | version due to licensing | |Elasticsearch| o 7.18.x < 7.18.3 | changes for Elasticsearch| |yourself)] | | versions later than 7.10 | | | o 7.19 | | | | | o Instead, we have released| | |As per Elastic security advisory | updated versions | | |ESA-2021-31, remote code | (described below) of | | |execution is mitigated, however | Bitbucket which apply the| | |an information leakage may still | log4j2.formatMsgNoLookups| | |apply. | =true flag mitigation | | | | | | | | o If a customer can't | | | | update Bitbucket, they | | | | should apply the | | | | log4j2.formatMsgNoLookups| | | | =true flag manually (see | | | | below for instructions) | | | | | | | |For Windows: | | | | | | | | o Customers should apply | | | | the | | | | log4j2.formatMsgNoLookups| | | | =true flag manually (see | | | | below for instructions) | +-------------+---------------------------------+-----------------------------+ | | |We advise customers to follow| | | |guidance from Elastic in | | | |security advisory ESA-2021-31| | | |to secure Elasticsearch | | | |deployments. However, we | | | |note: | | |The version of Elasticsearch | | | |bundled with Bitbucket should not| o Before upgrading | | |be used when running in a | Elasticsearch, ensure | | |clustered configuration. Data | that the new version is | | |Center cluster customers must | supported by your version| |External |install and manage their own | of Bitbucket. Supported | |version of |Elasticsearch installations | versions of Elasticsearch| |Elasticsearch|separately from Bitbucket Data | can be found on the | | |Center. Customers using the Data | Supported Platforms page | | |Center edition should consult | for your version of | | |Elastic security advisory | Bitbucket | | |ESA-2021-31 to determine if any | o If your version of | | |action is required to mitigate | Bitbucket does not | | |CVE-2021-44228. | support the fixed version| | | | of Elasticsearch, we | | | | recommend customers apply| | | | the alternative | | | | mitigations as described | | | | in Elastic security | | | | advisory ESA-2021-31 | +-------------+---------------------------------+-----------------------------+ Bitbucket Server & Data Center Security Fixes To remediate CVE-2021-44228 on Bitbucket Server & Data Center, upgrade to a non-vulnerable version: o 6.10.16 o 7.6.12 o 7.14.2 o 7.15.3 o 7.16.3 o 7.17.4 o 7.18.3 o 7.19.1 o 7.21.0 Find the versions above on our downloads page and use the steps outlined in the Bitbucket Server upgrade guide to complete the upgrade. Bundled Version - Manual Mitigation If you are unable to install an updated version of Bitbucket and are running the bundled Elasticsearch, make the following change as per Elastic security advisory ESA-2021-31: The simplest remediation is to set the JVM option -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster. For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection against the RCE and information leak attacks. Restart Bitbucket after adding the following line to the bottom of the file $BITBUCKET_HOME/shared/search/jvm.options - -Dlog4j2.formatMsgNoLookups=true Unused log4j-core present in some Bitbucket versions Bitbucket versions 7.12 to 7.19 included an unused log4j-core component. While this doesn't present a risk as Bitbucket uses Logback, not Log4j, for logging an update has been provided to remove Log4j component for avoidance of doubt. All Other Self-Managed Products No other Atlassian self-managed products are vulnerable to CVE-2021-44228. Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: o The JMS Appender is configured in the application's Log4j configuration o The javax.jms API is included in the application's CLASSPATH o The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime The following products use the Atlassian-maintained fork of Log4j 1.2.17: o Bamboo Server and Data Center (including Bamboo Agents) o Confluence Server and Data Center o Crowd Server and Data Center o Fisheye / Crucible o Jira Service Management Server and Data Center o Jira Software Server and Data Center (including Jira Core) Impact on Apps from Atlassian Marketplace CLOUD APPS The tools Atlassian shares with partners to develop apps, such as Connect and Forge, are not vulnerable to CVE-2021-44228. Additionally, there are no cloud apps developed by Atlassian that are vulnerable. Atlassian continues to actively scan third-party cloud apps on our marketplace to determine if they are vulnerable. So far, we have identified a handful of apps that are vulnerable. We will run more scans and checks over the next few days to continuously monitor the situation and to ensure that there are no gaps in our review. Given the severity of this situation, each vulnerable app must promptly address the issue as soon as it's discovered. Atlassian will pause apps that do not address the issue, and inform customers who have vulnerable apps installed. DATA CENTER AND SERVER APPS Atlassian confirmed that no Atlassian-developed apps are vulnerable to CVE-2021-44228. Additionally, Atlassian scanned 3rd party apps in our Marketplace to determine if they were vulnerable to CVE-2021-44228. A few third-party apps were found to be vulnerable and in most cases, these vulnerabilities have been addressed. There were two cases in which app vendors did not address the vulnerability within the expedited deadline provided. Users of these apps have been informed and the apps have been hidden from the Atlassian Marketplace. Note: Apps that are not listed on the Atlassian Marketplace (apps installed from other 3rd party sites, for example) are not actively scanned or reviewed by Atlassian. Reach out to the vendor directly if you have concerns about the security of those apps. References o Apache Log4j Security Vulnerabilities o CVE-2021-44228 o Elastic security advisory ESA-2021-31 o BSERV-13087 - Getting issue details... STATUS o BSERV-13088 - Getting issue details... STATUS Support If you have questions or concerns regarding this advisory, check our Frequently asked questions for CVE-2021-44228, or raise a support request at https:// support.atlassian.com/. Last modified on Mar 2, 2022 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYiAwTONLKJtyKPYoAQgOtA//cISek/KAYW7gF6YlEVBjfMMd6sF09Ox6 /cfw0k+oswPj3PuPY51+s0ySrCklY/cNkgwcybm4MPml4dYYm4+C7rRIRja2HWcZ EePbovximG5aMlwY7vSaUhqvbuUiJcYS9g2t7/mXAuKGbyUY88s8HN2bm+jJJag0 EGcFCjXjDr04nS6ScMQrv/95bctIZM5v92Moo7lfsOamM/S1s/oVehWZNfuPgNrF nn1xLe4EldlAm1tVYWsf7Lw54SyZqyQ9U0ZYgj8r5IjxahnI4ZsT9DaBZFxFVLq/ WS0z4AWbavQoZabSZ3yVRvdXlXozzFHevxFjIxvcaNBNyEeO5AKIEMVLLNiIEEW+ xXmUyjfdtM01AN5dRT5uFKQg3We9x5/7qUtg1EGJ8iJ+gB58sDue/jELSWTZUoiL 99c+572X8XpHGmVI6LKlKcqwjCO3ApcEwGg6/NC9N1lCiTD9ACzL3rKZB/3LnI6q qI4KknH5J/RpzHMQImbs/UDnT9mammNGgYGbbgLrSxqU2mXG7tnNpu92rIVEH6Tn 86PPSmj/lz/opauggqKtdE/ALhK8MXkEY5Z16Z9YDsyzApUTOtxh+6jkAXxb48js HhU0PRnMWxrARB+1Ct1+4SghTc4wZb/kzudO+Qy19Hd3bTNndeLiOAxaWw8wC+h0 JAe30g1Txz0= =kBh5 -----END PGP SIGNATURE-----