TL;DR

  1. Identify your Atlassian product and path to log4j.properties file

  2. Open file and search for these strings in the log4j.properties

    • (a) org.apache.log4j.net.JMSAppender

    • (b) JMSAppender

  • If you find results, EDIT

    • Backup log4j.properties

    • Comment out or delete strings (a) and (b)

    • Save changes and restart service

Identify Product

Directory Overview by Product

Product

Default Path

Jira Server & Data Center

<install-directory>/atlassian-jira/WEB-INF/classes/log4j.properties

Confluence Server & Data Center

<install-directory>/confluence/WEB-INF/classes/log4j.properties

Bamboo Server & Data Center

<install-directory>/atlassian-bamboo/WEB-INF/classes/log4j.properties

Fisheye / Crucible

<install-directory>/log4j.xml

Crowd Server & Data Center

<install-directory>/crowd-webapp/WEB-INF/classes/log4j.properties
<install-directory>/crowd-openidclient-webapp/WEB-INF/classes/log4j.properties
<install-directory>/crowd-openidserver-webapp/WEB-INF/classes/log4j.properties

Open and Search log4j.properties

Change into the default installation directory of your specific product (table above) and search the file for the following lines:

org.apache.log4j.net.JMSAppender
CODE

or

JMSAppender
CODE

EDIT log4j.properties

If you found any line with JMSAppender while inspecting either log4j.properties or log4j.xml, please backup the files (for safety purposes) and comment out any lines which indicate the use of JMSAppender or delete them (this might differ on your system):

# log4j.appender.jms=org.apache.log4j.net.JMSAppender
[...]
CODE
  • Save the file

  • To propagate the changes it is necessary to restart the application

I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?

No. Neither Bitbucket Server nor Data Center use Log4j, they use Logback.

Nevertheless, Bitbucket might be under certain circumstances affected as Bitbucket is bundled with Elasticsearch. Our recommendation is to disable Elasticsearch for the meantime until official information is available.

Keep in mind: This will disable the search feature in Bitbucket