Issue Summary

This is reproducible on Data Center:

Apache Tomcat should be upgraded to 9.0.81 or a later version to fix CVE-2023-44487

Environment

• 6.8.x to 9.3.x
• 6.7.x - if HTTP/2 has been explicitly enabled in server.xml

Steps to Reproduce

• Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

Expected Results

• Apache Tomcat version 8.5.94 and later or 9.0.81 and later

Actual Results

• Apache Tomcat version 8.5.93 and earlier or 9.0.80 and earlier

Workaround

To mitigate the issue, we advise customers to remove any <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> entries in their Connector(s) in <bamboo-install>/conf/server.xml and restart Bamboo.

It is also possible to manually upgrade Apache Tomcat to version 9.0.81 until a new Bamboo release with an updated version of Apache Tomcat is available. For instructions on how to manually upgrade Apache Tomcat in Bamboo, please refer to the following KB article.

• How to upgrade Apache Tomcat version used by Bamboo
• Apache Tomcat download URL

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

Backported fixes

As per our Security Bug Fix Policy, backported Security Bug fixes are released for Long Term Support (LTS) releases that have not reached their end-of-life date and to all feature versions released within 6 months of the date the fix is released, meaning that only Bamboo 9.3.x and Bamboo 9.2.x LTS releases will ship this fix.