Log4Shell CVE incorrectly reported for Bitbucket Server image

[errcode1202]

Description We (Atlassian) host our official Bitbucket Server Docker image on Docker Hub. As you will note each published tag is flagged with the message Log4Shell CVE detected in relation to CVE-2021-44228.

This issue was fully investigated and mitigated for Bitbucket through the fixes:

• Remove log4j-core and updating log4j-api
• Set formatMsgNoLookups to true

These fixes have been applied to Bitbucket versions; 7.14.2, 7.18.3, 7.17.4, 6.10.16, 7.15.3, 7.16.3, 7.19.1, 7.6.12 and likewise their Docker tag equivalents.

We are unsure why Docker Hub is reporting these tags as vulnerable? However we suspect its because Docker scanning is only checking for the presence of compromised jar's and is not able to understand mitigations that involve anything other than removing the offending jar's i.e. Set formatMsgNoLookups to true

As part of our dev pipeline we also run snyk test and snyk monitor against these images and these scans have not identified the Log4Shell vulnerability. So we wonder, if Docker scan is also using snyk, is it scanning things with additional settings?

Describe the results you expected: Can this be looked into please. We don't think things are being reported accurately for Bitbucket Server on Docker Hub. Particularly considering running snyk container test -d atlassian/bitbucket-server:7.20.0 locally does not report the presence of this vulnerability.

Additional info We have found running docker scan locally for this image(s) (Docker for Mac v4.4.2) results in the error Failed to get vulns i.e.

$ docker scan atlassian/bitbucket-server:7.20.0                
Analyzing container dependencies for atlassian/bitbucket-server:7.20.0                                                                                                                                                                                                                  
Querying vulnerabilities database...
Failed to get vulns

[mikeparker]

However we suspect its because Docker scanning is only checking for the presence of compromised jar's and is not able to understand mitigations that involve anything other than removing the offending jar's i.e. Set formatMsgNoLookups to true

Yes, this is correct.

So we wonder, if Docker scan is also using snyk, is it scanning things with additional settings?

Yes, we also scan with our own inhouse code based on open source code here github.com/aquasecurity/fanal/analyzer which checks for packages matching known vulnerable versions.

Reading the atlassian comment here https://jira.atlassian.com/browse/BSERV-13087?focusedCommentId=2938356&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-2938356 seems to suggest that log4j-core was not actually removed as it's bundled as part of ElasticSearch and that's still using a vulnerable versions although mitigated through other means.

Is it possible to upgrade ElasticSearch to a 7.16.2 as listed here? https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2

[errcode1202]

Hi @mikeparker,

Thanks for the response on this. Although a fix had been applied to effectively make the vulnrable jar's benign, Snyk obviously cannot recognise this. We've taken things a step further and upgraded the log4j jar's themselves. This has made things go green for the tags 👍🏽 .