Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,367,708
Community Members
 
Community Events
168
Community Groups

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762

Hello,

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762?

Do I have to upgrade my bamboo version?

 

Thanks

1 answer

1 accepted

1 vote
Answer accepted

Hello @niraj,

Welcome to Atlassian Community!

Short Answer: Not vulnerable

CVE-2022-25762 does not affect Bamboo as Bamboo does not use Web sockets.

Customers are free to manually update Bamboo’s embedded Tomcat to version 8.5.76 or later as instructed on this page:

 

Sincerely,

 

Eduardo Alvarenga
Atlassian Support APAC

 

--please don't forget to Accept the answer if the reply is helpful-- 

Thanks for the Reply Eduardo,

But my Bamboo instance is publically accessible, and the tomcat version 8.5.64 is vulnerable.

So do I have to upgrade Tomcat because of this vulnerability?

Or we are safe even if the tomcat version is vulnerable?

Can you please also clarify this part? Our security team is asking us to upgrade the tomcat because of this vulnerability.

Thanks,

Niraj

Hello @niraj

It is highly recommended that you upgrade Bamboo to at least 8.2.5 due to the following vulnerabilities (not only Tomcat)!

By default, the primary technical contact for a Support Entitlement Number (SEN) will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc). Make sure to keep the technical contact updated for the referring Support Entitlement Number:

If you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

We recommend you renew your Bamboo subscription, install the updated License string and plan your Bamboo upgrade.

 

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Thanks Eduardo for clarifying.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events