By now, you’re probably assessing your level of exposure — or are in the middle of remediating — the recently disclosed vulnerability known as Log4Shell.
We recently introduced a native integration with Snyk, a leading provider of developer security solutions, to help you address zero-day vulnerabilities. Once enabled, Snyk scans your code and its dependencies and alerts you about security vulnerabilities, including Log4j.
All current versions of Log4j 2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.16.0 or later.
This new vulnerability was found in the open-source Java library org.apache.logging.log4j:log4j-core which is a component of one of the most popular Java logging frameworks, Log4J. It was assigned CVE-2021-44228, categorized as Critical with a CVSS score of 10, and with a mature exploit level as there has been clear evidence of it being exploited in the wild.
Note: The Snyk integration should be enabled by your Bitbucket administrator. Once enabled, other users will be able to access the integration via the security tab in the repo screen.