Bitrise’s response to Log4j vulnerability (CVE-2021-44228)

This post is intended to provide you with updates on the Log4j vulnerability (CVE-2021-44228) and its impact on Bitrise and its customers. Executive summary: Bitrise customers are not affected, but please check any 3rd party steps/code.

This post is intended to provide you with updates on the Log4j vulnerability (CVE-2021-44228) and its impact on Bitrise and its customers. Executive summary: Bitrise customers are not affected, but please check any 3rd party steps/code.

A critical vulnerability - also known as Log4Shell or LogJam - was found in Apache Log4j, an open-source Java library (more details: CVE-2021-44228).

What does it mean for Bitrise customers?

After learning of this vulnerability, we immediately commenced an investigation. Upon a thorough review, we have found only a single instance of the use of Log4j, which was resolved through a patch to the affected system. Further investigation of telemetry and monitoring turned up no signs of a successful exploitation before the patch was deployed. Based on our investigation and this mitigation, we believe Bitrise is currently not affected by the Log4j vulnerability, and no customer through its use of our code base was impacted.

3rd-party and custom steps

Even though the official Bitrise Steps do not use Log4j and therefore are not affected, Bitrise has no control over the 3d party steps and the custom code developers might utilise during builds (e.g. within the Bitrise script step). We recommend that customers reach out – and confirm – with applicable third party step developers and internal developers responsible for custom code, any exposure to this vulnerability.

In the workflow editor, official Bitrise Steps are highlighted with the “B” icon:

In case you have any questions or concerns, we're here to help.

No items found.
The Mobile DevOps Newsletter

Explore more topics

App development

Best practices from engineers on how to use Bitrise to build better apps, faster.

Community

Meet other Bitrise engineers, technology experts, power users, partners and join our BUGs.

Company

All the updates about Bitrise events, sponsorships, employees, and more.

Insights

Mobile development, latest tech, industry insights, and interviews with experts.

Mobile DevOps

Learn why mobile development is unique and requires a set of unique practices.

Releases

Stay tuned for the last updates, new features, and product improvements.

The Mobile DevOps Newsletter

Join 1000s of your peers. Sign up to receive Mobile DevOps tips, news, and best practice guides once every two weeks.