-
Bug
-
Resolution: Fixed
-
Medium
-
9.0.2, 9.3.0, 9.1.1, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.1.12, 9.2.3, 9.1.3, 9.0.4, 8.2.9
-
7
-
Severity 2 - Major
-
5
-
Issue summary
Apache Tomcat should be upgraded to 8.5.88 and 9.0.74 or a later version to fix CVE-2023-28709
Environment
- Bamboo 8, 9
Steps to Reproduce
- Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat
Expected Results
- Bamboo 8.x: apache-tomcat 8.5.88 and later
- Bamboo 9.x: apache-tomcat 9.0.74 and later
Actual Results
- Bamboo 8.x: apache-tomcat 8.5.87 and earlier
- Bamboo 9.x: apache-tomcat-9.0.73 and earlier
Workaround
At your own risk, you can manually upgrade Tomcat as instructed on this KB:
WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.
As per our Security Bug Fix Policy, backported Security Bug fixes are released for Long Term Support (LTS) releases that have not reached their end-of-life date and to all feature versions released within 6 months of the date the fix is released, meaning that only Bamboo 9.3.x and Bamboo 9.2.x LTS releases will ship this fix.