We had to extract the atlassian-bamboo-agent-installer-8.0.4.jar and to analyse for CVE-2021-44228 for our client.
What we found was that log4j 2.9.0 is in the atlassian-bamboo-agent-installer-8.0.4.jar/classpath.zip, but apparently its not an issue per Nexus-IQ.
Any idea if atlassian will be updating the atlassian-bamboo-agent-installer-8.0.4.jar ?
Below are the extracted findings of the bamboo agent installer jar
Hi @Vincent ,
Please see the advisory we released today - Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 - for the specific information in regards to Bamboo.