By now, you’re probably assessing your level of exposure — or are in the middle of remediating — the recently disclosed vulnerability known as Log4Shell.
We recently introduced a native integration with Snyk, a leading provider of developer security solutions, to help you address zero-day vulnerabilities. Once enabled, Snyk scans your code and its dependencies and alerts you about security vulnerabilities, including Log4j.
All current versions of Log4j 2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.16.0 or later.
This new vulnerability was found in the open-source Java library org.apache.logging.log4j:log4j-core which is a component of one of the most popular Java logging frameworks, Log4J. It was assigned CVE-2021-44228, categorized as Critical with a CVSS score of 10, and with a mature exploit level as there has been clear evidence of it being exploited in the wild.
If you need help on how to use the Snyk integration in Bitbucket Cloud, check out this short video or this blog post to learn more.
Note: The Snyk integration should be enabled by your Bitbucket administrator. Once enabled, other users will be able to access the integration via the security tab in the repo screen.