Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Does Atlassian bamboo server 7.2.4 use Apache Commons Text ver 1.5-1.9?(CVE-2022-42889)

Niraj Wagh
Niraj Wagh Oct 17, 2022

Hi, does Atlassian Bamboo server version use Apache Commons Text?

Since a vulnerability is reported in CVE-2022-42889.

 

Thanks,

Niraj

Answer
Watch
Like Be the first to like this
3805 views

1 answer

1 accepted

1 vote
Answer accepted
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 17, 2022 • edited Oct 19, 2022

Hello @Niraj Wagh

Bamboo 8.0 and 9.0 series uses Apache Commons Text v1.9.

Bamboo 7.2 uses Apache Commons Text v1.1.

As of today, 18/10/2022, Atlassian is currently evaluating if Bamboo is vulnerable to CVE-2022-42889. We don't have much information to disclose at this stage and/or if a patch is going to be published.

Update 19/10/2022: Bamboo is not vulnerable to CVE-2022-42889 as it does not use the StringSubstitutor module of commons-text. We will obviously bump the dependency to 1.10.0 in the next point release.

If you have a valid Bamboo subscription and you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

Here's the official page on Bamboo vulnerabilities:

To find the version of bundled software in Bamboo, please check the following KB article:

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

View More Comments
Niraj Wagh
Niraj Wagh Oct 18, 2022

Hi @Eduardo Alvarenga, I have downloaded the .pom file for Bamboo 7.2.4 using the third document link mentioned in your answer. (https://packages.atlassian.com/maven/repository/public/com/atlassian/bamboo/atlassian-bamboo/7.2.4/atlassian-bamboo-7.2.4.pom)

In the .pom file, I checked for commons-text, and the version mentioned there is 1.1.

<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.1</version>
</dependency>

 

Does that mean Bamboo server 7.2.4 uses Apache commons-text 1.1?

Thanks,

Niraj

Like
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 18, 2022

Hey @Niraj Wagh

Yes! You are right. Apache Commons Text 1.9 was introduced only on Bamboo 8.0. Apologies for that. I have amended my comment.

Answering your question, Bamboo 7.2.4 comes with Apache Commons Text 1.1.

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Like
Niraj Wagh
Niraj Wagh Oct 18, 2022

Hi @Eduardo Alvarenga 

Thanks for answering.

 

Thanks,

Niraj

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

See all events