Upgrade Tomcat to fix CVE-2024-34750

XMLWordPrintable

    • 2
    • Severity 2 - Major

      Issue Summary

      Apache Tomcat should be upgraded to 9.0.90 or a later version to fix CVE-2024-34750.

      Steps to Reproduce

      • Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

      Expected Results

      • Bamboo 9.x: apache-tomcat.9.0.90 and later

      Actual Results

      • Bamboo 9.x: apache-tomcat.9.0.87

      Workaround

      It is also possible to manually upgrade Apache Tomcat to version 9.0.90 until a new Bamboo release with an updated version of Apache Tomcat is available. For instructions on how to manually upgrade Apache Tomcat in Bamboo, please refer to the following KB article.

      WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

      Backported fixes

      Per our Security Bug Fix Policy, we are committed to delivering a bug fix release for the most recent feature release of Bamboo, as well as for all supported LTS releases, following the guidelines outlined in the Atlassian Support End of Life Policy. This implies that the fix will be included in Bamboo 9.2.x and Bamboo 9.6.x releases exclusively.

            Assignee:
            Alexey Chystoprudov
            Reporter:
            SSI Team
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: