Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762

niraj
niraj September 6, 2022

Hello,

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762?

Do I have to upgrade my bamboo version?

 

Thanks

Answer
Watch
Like Be the first to like this
374 views

1 answer

1 accepted

1 vote
Answer accepted
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2022

Hello @niraj,

Welcome to Atlassian Community!

Short Answer: Not vulnerable

CVE-2022-25762 does not affect Bamboo as Bamboo does not use Web sockets.

Customers are free to manually update Bamboo’s embedded Tomcat to version 8.5.76 or later as instructed on this page:

 

Sincerely,

 

Eduardo Alvarenga
Atlassian Support APAC

 

--please don't forget to Accept the answer if the reply is helpful-- 

View More Comments
niraj
niraj September 6, 2022

Thanks for the Reply Eduardo,

But my Bamboo instance is publically accessible, and the tomcat version 8.5.64 is vulnerable.

So do I have to upgrade Tomcat because of this vulnerability?

Or we are safe even if the tomcat version is vulnerable?

Can you please also clarify this part? Our security team is asking us to upgrade the tomcat because of this vulnerability.

Thanks,

Niraj

Like
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2022

Hello @niraj

It is highly recommended that you upgrade Bamboo to at least 8.2.5 due to the following vulnerabilities (not only Tomcat)!

By default, the primary technical contact for a Support Entitlement Number (SEN) will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc). Make sure to keep the technical contact updated for the referring Support Entitlement Number:

If you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

We recommend you renew your Bamboo subscription, install the updated License string and plan your Bamboo upgrade.

 

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Like
niraj
niraj September 6, 2022

Thanks Eduardo for clarifying.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events