Bitrise’s response to Log4j vulnerability (CVE-2021-44228)

This post is intended to provide you with updates on the Log4j vulnerability (CVE-2021-44228) and its impact on Bitrise and its customers. Executive summary: Bitrise customers are not affected, but please check any 3rd party steps/code.

This post is intended to provide you with updates on the Log4j vulnerability (CVE-2021-44228) and its impact on Bitrise and its customers. Executive summary: Bitrise customers are not affected, but please check any 3rd party steps/code.

A critical vulnerability - also known as Log4Shell or LogJam - was found in Apache Log4j, an open-source Java library (more details: CVE-2021-44228).

What does it mean for Bitrise customers?

After learning of this vulnerability, we immediately commenced an investigation. Upon a thorough review, we have found only a single instance of the use of Log4j, which was resolved through a patch to the affected system. Further investigation of telemetry and monitoring turned up no signs of a successful exploitation before the patch was deployed. Based on our investigation and this mitigation, we believe Bitrise is currently not affected by the Log4j vulnerability, and no customer through its use of our code base was impacted.

3rd-party and custom steps

Even though the official Bitrise Steps do not use Log4j and therefore are not affected, Bitrise has no control over the 3d party steps and the custom code developers might utilise during builds (e.g. within the Bitrise script step). We recommend that customers reach out – and confirm – with applicable third party step developers and internal developers responsible for custom code, any exposure to this vulnerability.

In the workflow editor, official Bitrise Steps are highlighted with the “B” icon:

In case you have any questions or concerns, we're here to help.

Explore more topics

App Development

Learn how to optimize your mobile app deployment processes for iOS, Android, Flutter, ReactNative, and more

Bitrise & Community

Check out the latest from Bitrise and the community. Learn about the upcoming mobile events, employee spotlights, women in tech, and more

Mobile App Releases

Learn how to release faster, better apps on the App Store, Google Play Store, Huawei AppGallery, and other app stores

Mobile DevOps

Learn Mobile DevOps best practices such as DevOps for iOS, Android, and industry-specific DevOps tips for mobile engineers

Mobile Testing & Security

Learn how to optimize mobile testing and security — from automated security checks to robust mobile testing and more.

Product Updates

Check out the latest product updates from Bitrise — Build Insights updates, product news, and more.