Is atlassian-bamboo-agent-installer-8.0.4.jar class log4j 2.9.0 vulnerable to CVE-2021-44228

Vincent December 13, 2021

We had to extract the atlassian-bamboo-agent-installer-8.0.4.jar and to analyse for CVE-2021-44228 for our client. 

 

What we found was that log4j 2.9.0 is in the atlassian-bamboo-agent-installer-8.0.4.jar/classpath.zip, but apparently its not an issue per Nexus-IQ.

 

Any idea if atlassian will be updating the atlassian-bamboo-agent-installer-8.0.4.jar ? 

 

Below are the extracted findings of the bamboo agent installer jar

image.pngimage.png

 

1 answer

1 vote
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2021

Hi @Vincent ,

Please see the advisory we released today - Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 - for the specific information in regards to Bamboo.

Vincent December 13, 2021

Hi Daniel, 

 

Thanks for getting back to me. I've checked our bamboo server and it seems clean per the advisory. 

 

I'm actually asking for the bamboo agent which is not stated

Like Steffen Opel _Utoolity_ likes this
Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2021

Bamboo agents are not affected as well. Added it to advisory

Like Steffen Opel _Utoolity_ likes this
Ben Paul
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 16, 2021

Hi Alexey,

I still can't see any reference to Bamboo agents on the linked advisory?

Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 17, 2021

Old version was cached, it should be visible now

Like Daniel Eads likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events