-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 8.1.12, 9.1.3, 9.0.4, 8.2.9, 9.2.7, 9.3.5, 9.4.1
-
Component/s: Security
-
2
-
Severity 2 - Major
-
2
Issue Summary
This is reproducible on Data Center: 
Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a later version to fix CVE-2023-46589
Environment
- 8.1.x to 9.4.x
Steps to Reproduce
- Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat
Expected Results
- Bamboo 8.x: Apache Tomcat version 8.5.96 and later
- Bamboo 9.x: Apache Tomcat version 9.0.83 and later
Actual Results
- Apache Tomcat version 8.5.95 and earlier or 9.0.82 and earlier
Workaround
To mitigate the issue, is possible to *manually upgrade Apache Tomcat until a new Bamboo release with an updated version of Apache Tomcat is available. For instructions on how to manually upgrade Apache Tomcat in Bamboo, please refer to the following KB article.
- How to upgrade Apache Tomcat version used by Bamboo
- Apache Tomcat download 9.0.83 URL
- Apache Tomcat download 8.5.96 URL
WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.
Backported fixes
As per our Security Bug Fix Policy, backported Security Bug fixes are released for Long Term Support (LTS) releases that have not reached their end-of-life date and to all feature versions released within 6 months of the date the fix is released, meaning that only Bamboo 9.2.x LTS, 9.3.x and 9.4.x releases will ship this fix.