How to Check log4j.properties Configuration
TL;DR
Identify your Atlassian product and path to log4j.properties file
Open file and search for these strings in the log4j.properties
(a)
org.apache.log4j.net.JMSAppender
(b)
JMSAppender
If you find results, EDIT
Backup log4j.properties
Comment out or delete strings (a) and (b)
Save changes and restart service
Identify Product
Directory overview by product:
Product | Default Path |
---|---|
Jira Server & Data Center | <install-directory>/atlassian-jira/WEB-INF/classes/log4j.properties |
Confluence Server & Data Center | <install-directory>/confluence/WEB-INF/classes/log4j.properties |
Bamboo Server & Data Center | <install-directory>/atlassian-bamboo/WEB-INF/classes/log4j.properties |
Fisheye / Crucible | <install-directory>/log4j.xml |
Crowd Server & Data Center | <install-directory>/crowd-webapp/WEB-INF/classes/log4j.properties |
Open and Search log4j.properties
Change into the default installation directory of your specific product (table above) and search the file for the following lines:
org.apache.log4j.net.JMSAppender
or
JMSAppender
EDIT log4j.properties
If you found any line with JMSAppender
while inspecting either log4j.properties
or log4j.xml
, please backup the files (for safety purposes) and comment out any lines which indicate the use of JMSAppender or delete them (this might differ on your system):
# log4j.appender.jms=org.apache.log4j.net.JMSAppender
[...]
Save the file
To propagate the changes it is necessary to restart the application
Missing Bitbucket?
Question: I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?
Answer: No. Neither Bitbucket Server nor Data Center use Log4j, they use Logback.
Nevertheless, Bitbucket might under certain circumstances be affected as Bitbucket is bundled with Elasticsearch.
As we don’t have enough information yet – as a precaution – you might want to consider deactivating Elasticsearch in Bitbucket until more information is available
Keep in mind, this will disable the search feature in Bitbucket.