Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762

niraj September 6, 2022

Hello,

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762?

Do I have to upgrade my bamboo version?

 

Thanks

1 answer

1 accepted

1 vote
Answer accepted
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2022

Hello @niraj,

Welcome to Atlassian Community!

Short Answer: Not vulnerable

CVE-2022-25762 does not affect Bamboo as Bamboo does not use Web sockets.

Customers are free to manually update Bamboo’s embedded Tomcat to version 8.5.76 or later as instructed on this page:

 

Sincerely,

 

Eduardo Alvarenga
Atlassian Support APAC

 

--please don't forget to Accept the answer if the reply is helpful-- 

niraj September 6, 2022

Thanks for the Reply Eduardo,

But my Bamboo instance is publically accessible, and the tomcat version 8.5.64 is vulnerable.

So do I have to upgrade Tomcat because of this vulnerability?

Or we are safe even if the tomcat version is vulnerable?

Can you please also clarify this part? Our security team is asking us to upgrade the tomcat because of this vulnerability.

Thanks,

Niraj

Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2022

Hello @niraj

It is highly recommended that you upgrade Bamboo to at least 8.2.5 due to the following vulnerabilities (not only Tomcat)!

By default, the primary technical contact for a Support Entitlement Number (SEN) will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc). Make sure to keep the technical contact updated for the referring Support Entitlement Number:

If you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

We recommend you renew your Bamboo subscription, install the updated License string and plan your Bamboo upgrade.

 

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

niraj September 6, 2022

Thanks Eduardo for clarifying.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events