We had to extract the atlassian-bamboo-agent-installer-8.0.4.jar and to analyse for CVE-2021-44228 for our client.
What we found was that log4j 2.9.0 is in the atlassian-bamboo-agent-installer-8.0.4.jar/classpath.zip, but apparently its not an issue per Nexus-IQ.
Any idea if atlassian will be updating the atlassian-bamboo-agent-installer-8.0.4.jar ?
Below are the extracted findings of the bamboo agent installer jar
Hi @Vincent ,
Please see the advisory we released today - Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 - for the specific information in regards to Bamboo.
Hi Daniel,
Thanks for getting back to me. I've checked our bamboo server and it seems clean per the advisory.
I'm actually asking for the bamboo agent which is not stated
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Bamboo agents are not affected as well. Added it to advisory
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alexey,
I still can't see any reference to Bamboo agents on the linked advisory?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Old version was cached, it should be visible now
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.