h3. Issue Summary
In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9.
Please note: There is no RCE in Logback, and there is no vulnerability in Bitbucket Server or Logback’s default configurations. There is also no mechanism whereby a malicious client can attack the system. Exercising CVE-2021-42550 requires write access to Bitbucket Server’s Logback configuration.
h3. Workaround
Manually audit logging configuration and ensure proper permissions.
CPE | Name | Operator | Version |
---|---|---|---|
bitbucket server | le | 6.10.0 | |
bitbucket server | lt | 7.19.2 | |
bitbucket server | lt | 7.17.5 | |
bitbucket server | lt | 6.10.17 | |
bitbucket server | lt | 7.20.0 | |
bitbucket server | lt | 7.6.13 |