This post is intended to provide you with updates on the Log4j vulnerability (CVE-2021-44228) and its impact on Bitrise and its customers. Executive summary: Bitrise customers are not affected, but please check any 3rd party steps/code.
A critical vulnerability - also known as Log4Shell or LogJam - was found in Apache Log4j, an open-source Java library (more details: CVE-2021-44228).
What does it mean for Bitrise customers?
After learning of this vulnerability, we immediately commenced an investigation. Upon a thorough review, we have found only a single instance of the use of Log4j, which was resolved through a patch to the affected system. Further investigation of telemetry and monitoring turned up no signs of a successful exploitation before the patch was deployed. Based on our investigation and this mitigation, we believe Bitrise is currently not affected by the Log4j vulnerability, and no customer through its use of our code base was impacted.
3rd-party and custom steps
Even though the official Bitrise Steps do not use Log4j and therefore are not affected, Bitrise has no control over the 3d party steps and the custom code developers might utilise during builds (e.g. within the Bitrise script step). We recommend that customers reach out – and confirm – with applicable third party step developers and internal developers responsible for custom code, any exposure to this vulnerability.
In the workflow editor, official Bitrise Steps are highlighted with the “B” icon:
In case you have any questions or concerns, we're here to help.