-
Bug
-
Resolution: Fixed
-
Medium
-
9.0.2, 9.3.0, 9.1.1, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.1.12, 9.2.3, 9.1.3, 9.0.4, 8.2.9
-
7
-
Severity 2 - Major
-
5
-
Issue summary
Apache Tomcat should be upgraded to 8.5.88 and 9.0.74 or a later version to fix CVE-2023-28709
Environment
- Bamboo 8, 9
Steps to Reproduce
- Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat
Expected Results
- Bamboo 8.x: apache-tomcat 8.5.88 and later
- Bamboo 9.x: apache-tomcat 9.0.74 and later
Actual Results
- Bamboo 8.x: apache-tomcat 8.5.87 and earlier
- Bamboo 9.x: apache-tomcat-9.0.73 and earlier
Workaround
At your own risk, you can manually upgrade Tomcat as instructed on this KB:
WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.
[BAM-22280] Upgrade Tomcat to fix CVE-2023-28709
| Remote Link | New: This issue links to "Page (Confluence)" [ 880426 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 872538 ] |
| Affects Version/s | New: 9.0.2 [ 103491 ] | |
| Affects Version/s | New: 9.1.1 [ 104302 ] | |
| Affects Version/s | New: 9.1.2 [ 104330 ] | |
| Affects Version/s | New: 8.2.8 [ 104331 ] | |
| Affects Version/s | New: 9.0.3 [ 104339 ] | |
| Affects Version/s | New: 9.2.3 [ 104892 ] |
| Remote Link | Original: This issue links to "VULN-1098765 (Atlassian Security Jira)" [ 811413 ] | New: This issue links to "VULN-1098765 (ASEC/J)" [ 811413 ] |
| Remote Link | New: This issue links to "VULN-1098765 (Atlassian Security Jira)" [ 811413 ] |
| Labels | Original: CVE-2023-28709 security security-imported | New: CVE-2023-28709 resolved-in-vf security security-imported |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Waiting for Release [ 12075 ] | New: Closed [ 6 ] |
| Support reference count | Original: 6 | New: 7 |
| UIS | New: 5 |