How to Check log4j.properties Configuration

TL;DR

1. Identify your Atlassian product and path to log4j.properties file

2. Open file and search for these strings in the log4j.properties

   • (a) org.apache.log4j.net.JMSAppender

   • (b) JMSAppender

• If you find results, EDIT

  • Backup log4j.properties

  • Comment out or delete strings (a) and (b)

  • Save changes and restart service

Identify Product

Directory overview by product:

Open and Search log4j.properties

Change into the default installation directory of your specific product (table above) and search the file for the following lines:

org.apache.log4j.net.JMSAppender

or

JMSAppender

EDIT log4j.properties

If you found any line with JMSAppender while inspecting either log4j.properties or log4j.xml, please backup the files (for safety purposes) and comment out any lines which indicate the use of JMSAppender or delete them (this might differ on your system):

# log4j.appender.jms=org.apache.log4j.net.JMSAppender
[...]

• Save the file

• To propagate the changes it is necessary to restart the application

Missing Bitbucket?

Question: I see Bitbucket Server/Data Center isn't in the list of products using Log4j but I can see Log4j JAR files in my installation directory, is my instance vulnerable?

Answer: No. Neither Bitbucket Server nor Data Center use Log4j, they use Logback.

Nevertheless, Bitbucket might under certain circumstances be affected as Bitbucket is bundled with Elasticsearch.

As we don’t have enough information yet – as a precaution – you might want to consider deactivating Elasticsearch in Bitbucket until more information is available

Keep in mind, this will disable the search feature in Bitbucket.