We have a self-managed instance of Bamboo, which is currently on version 8.1.3. Our security scans have picked up this version has log4j-1.2.15.jar (bundled in atlassian-nav-links-plugin-3.3.9.jar), which has multiple vulnerabilities (e.g. CVE-2021-44228). Atlassian has confirmed self managed instances that maintain fork of log4j-1.2.17.jar is not vulnerable for some of these (link below) but there's no mention of log4j-1.2.15.
Can you please advise if self-managed instances that maintain a fork of log4j-1.2.15.jar has any known vulnerabilities? Also advise if there's a way to update the log4j-1.2.15 to 1.2.17. Current version of Bamboo (8.2.3) doesn't seem to solve this issue.
Feel free to get back to me if you require further information. Thanks.
We have a self-managed instance of Bamboo, which is currently on version 8.1.3. Our security scans have picked up this version has log4j-1.2.15.jar
Bamboo 8.1.3 bundles log4j-1.2.17-atlassian-15 and not log4j-1.2.15 -- Notice that the version is 1.2.17, whilst the patch is "-15".
If you are looking to update it to log4j-1.2.17-atlassian-16 (latest by today, 08/Jun/2022) you will need to upgrade Bamboo to any of the following versions as listed on the provided FAQ:
Atlassian Support APAC
Hi, If you are running self-managed environments and looking to adopt modern infrastructure, Bamboo Data Center can now be deployed in a Kubernetes cluster. By leveraging Kubernetes, you can easily...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events