Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,368,846
Community Members
 
Community Events
168
Community Groups

Is atlassian-bamboo-agent-installer-8.0.4.jar class log4j 2.9.0 vulnerable to CVE-2021-44228

Edited

We had to extract the atlassian-bamboo-agent-installer-8.0.4.jar and to analyse for CVE-2021-44228 for our client. 

 

What we found was that log4j 2.9.0 is in the atlassian-bamboo-agent-installer-8.0.4.jar/classpath.zip, but apparently its not an issue per Nexus-IQ.

 

Any idea if atlassian will be updating the atlassian-bamboo-agent-installer-8.0.4.jar ? 

 

Below are the extracted findings of the bamboo agent installer jar

image.pngimage.png

 

1 answer

1 vote
Daniel Eads Atlassian Team Dec 13, 2021

Hi @Vincent ,

Please see the advisory we released today - Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228 - for the specific information in regards to Bamboo.

Hi Daniel, 

 

Thanks for getting back to me. I've checked our bamboo server and it seems clean per the advisory. 

 

I'm actually asking for the bamboo agent which is not stated

Like Steffen Opel _Utoolity_ likes this

Bamboo agents are not affected as well. Added it to advisory

Like Steffen Opel _Utoolity_ likes this

Hi Alexey,

I still can't see any reference to Bamboo agents on the linked advisory?

Old version was cached, it should be visible now

Like Daniel Eads likes this

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events