Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762

niraj
niraj Sep 06, 2022

Hello,

Is Bamboo server 7.2.4 affected by Tomcat vulnerability CVE-2022-25762?

Do I have to upgrade my bamboo version?

 

Thanks

Answer
Watch
Like Be the first to like this
307 views

1 answer

1 accepted

1 vote
Answer accepted
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 06, 2022

Hello @niraj,

Welcome to Atlassian Community!

Short Answer: Not vulnerable

CVE-2022-25762 does not affect Bamboo as Bamboo does not use Web sockets.

Customers are free to manually update Bamboo’s embedded Tomcat to version 8.5.76 or later as instructed on this page:

 

Sincerely,

 

Eduardo Alvarenga
Atlassian Support APAC

 

--please don't forget to Accept the answer if the reply is helpful-- 

View More Comments
niraj
niraj Sep 06, 2022

Thanks for the Reply Eduardo,

But my Bamboo instance is publically accessible, and the tomcat version 8.5.64 is vulnerable.

So do I have to upgrade Tomcat because of this vulnerability?

Or we are safe even if the tomcat version is vulnerable?

Can you please also clarify this part? Our security team is asking us to upgrade the tomcat because of this vulnerability.

Thanks,

Niraj

Like
Eduardo Alvarenga
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 06, 2022

Hello @niraj

It is highly recommended that you upgrade Bamboo to at least 8.2.5 due to the following vulnerabilities (not only Tomcat)!

By default, the primary technical contact for a Support Entitlement Number (SEN) will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc). Make sure to keep the technical contact updated for the referring Support Entitlement Number:

If you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

We recommend you renew your Bamboo subscription, install the updated License string and plan your Bamboo upgrade.

 

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Like
niraj
niraj Sep 06, 2022

Thanks Eduardo for clarifying.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

See all events