Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-25386

Update ActiveMQ to fix CVE-2023-46604

XMLWordPrintable

      Issue Summary

      Bamboo relies on ActiveMQ libraries version <= 5.16.6 or <=5.18.2 which are affected by CVE-2023-46604.

      An official advisory has been released. Please check CVE-2023-46604 - Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server and the FAQ for details.

      Steps to Reproduce

      On the Bamboo instance, validate the ActiveMQ library versions in <bamboo-install>/atlassian-bamboo/WEB-INF/lib:

      $ ls -al /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib# ls | grep activemq-
      activemq-broker-5.18.2.jar
      activemq-client-5.18.2.jar
      activemq-http-5.18.2.jar
      activemq-jms-pool-5.18.2.jar
      activemq-kahadb-store-5.18.2.jar
      activemq-openwire-legacy-5.18.2.jar
      activemq-pool-5.18.2.jar
      activemq-protobuf-1.1.jar
      activemq-ra-5.18.2.jar
      activemq-spring-5.18.2.jar
      

      Expected Results

      The updated ActiveMQ library version is >= 5.16.7 or >= 5.18.3

      Actual Results

      The ActiveMQ library version is <= 5.16.6 or <=5.18.2

      Workaround

      Make sure that Bamboo is behind a firewall/VPC and allows connections to its ActiveMQ broker port only from trusted Agents.

              achystoprudov Alexey Chystoprudov
              a3e6629b6e9d Giovanna Fragoso
              Votes:
              4 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: