Identify your Atlassian product and path to log4j.properties file
Open file and search for these strings in the log4j.properties
If you find results, EDIT
Comment out or delete strings (a) and (b)
Save changes and restart service
Directory overview by product:
Jira Server & Data Center
Confluence Server & Data Center
Bamboo Server & Data Center
Fisheye / Crucible
Crowd Server & Data Center
Open and Search log4j.properties
Change into the default installation directory of your specific product (table above) and search the file for the following lines:
If you found any line with
JMSAppender while inspecting either
log4j.xml, please backup the files (for safety purposes) and comment out any lines which indicate the use of JMSAppender or delete them (this might differ on your system):
# log4j.appender.jms=org.apache.log4j.net.JMSAppender [...]
Save the file
To propagate the changes it is necessary to restart the application
Question: I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?
Answer: No. Neither Bitbucket Server nor Data Center use Log4j, they use Logback.
Nevertheless, Bitbucket might under certain circumstances be affected as Bitbucket is bundled with Elasticsearch.
As we don’t have enough information yet – as a precaution – you might want to consider deactivating Elasticsearch in Bitbucket until more information is available
Keep in mind, this will disable the search feature in Bitbucket.