Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 9.3.1, 9.2.4
Affects Version/s: 9.0.2, 9.3.0, 9.1.1, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.1.12, 9.2.3, 9.1.3, 9.0.4, 8.2.9
Component/s: Bamboo Release, Infrastructure, Security
Labels:

Support reference count:
7
Symptom Severity:
Severity 2 - Major
UIS:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue summary

Apache Tomcat should be upgraded to 8.5.88 and 9.0.74 or a later version to fix CVE-2023-28709

Environment

Bamboo 8, 9

Steps to Reproduce

Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

Expected Results

Bamboo 8.x: apache-tomcat 8.5.88 and later
Bamboo 9.x: apache-tomcat 9.0.74 and later

Actual Results

Bamboo 8.x: apache-tomcat 8.5.87 and earlier
Bamboo 9.x: apache-tomcat-9.0.73 and earlier

Workaround

At your own risk, you can manually upgrade Tomcat as instructed on this KB:

How to upgrade Apache Tomcat version used by Bamboo

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

is superseded by

BAM-22330 Upgrade Tomcat to fix CVE-2023-34981

Closed

resolves

BAM-22479 Third-Party Dependency in Bamboo Data Center and Server

Published

is action for: VULN-1098765 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Assignee:: Krzysztof Podsiadło

Reporter:: Eduardo Alvarenga

Votes:: 2 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 06/Jun/2023 2:52 AM

Updated:: 14/Mar/2024 2:40 PM

Resolved:: 26/Jul/2023 9:23 AM

Details

Description

Issue summary

Environment

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates