Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.0.12, 8.1.11, 8.2.7
Affects Version/s: 8.2.6, 8.1.10, 8.0.11
Component/s: Security, Tomcat tasks, Upgrading
Labels:
None

Support reference count:
4
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

This is reproducible in Data Center:

On Bamboo 8, Apache Tomcat should be upgraded to version 8.5.83 or later to mitigate CVE-2022-42252

Environment

Bamboo 8.0, 8.1, 8.2

Steps to Reproduce

Check Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

Expected Results

apache-tomcat 8.5.83+ is expected

Actual Results

apache-tomcat 8.5.82 or earlier is in use

Workaround

As stated in the CVE-2022-42252 announcement, either:

Ensure rejectIllegalHeader is set to true on <bamboo-install>/conf/server.xml
or
At your own risk, you can manually upgrade Tomcat as instructed on this KB:
- How to upgrade Apache Tomcat version used by Bamboo

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

Note

Bamboo version 9 is NOT VULNERABLE to the issue as rejectIllegalHeader is set to true by default.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Marcin Gardias

Reporter:: Eduardo Alvarenga

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Nov/2022 11:08 AM

Updated:: 19/Jan/2023 5:36 AM

Resolved:: 19/Jan/2023 5:36 AM