Why Atlassian choose to support only older version of tomcat ?


I'm just in the process to upgrade my Bamboo instance to version 5.7.1. Checked and found that Atlassian only supports the bundled Tomcat which is version 7.0.40.

How does Atlassian explain this choice when there are security issues (and fixes) on version 7.0.40 ?
Just take a look at [http://tomcat.apache.org/security-7.html] and you can see that it is a bad idea to run 7.0.40.




2 answers

1 vote


Check Oliver Pereira's response at the end of https://jira.atlassian.com/browse/BAM-15127. You should be able to download Bamboo WAR and install in the most recent Tomcat.

We might also bundle most recent Tomcat in next Bamboo release. Please watch that issue for future updates.

Probably not a major issue, but if you run into problems with Bamboo, Atlassian support may not help you out.

Exactly, I'm not having a problem with finding Bamboo binaries, but more on the support policy of Atlassian on its products. If you supports Bamboo 5.7.1 when it only runs on 7.0.40, what do you do about the security fixes made my Apache on Tomcat ? Can someone at Atlassian answer this question ?

I'm not sure Atlassian patches handle Tomcat security issues...

Since they package tomcat internally with their products in some installation packages, they would need to since users are unaware. They would normally not fix things in tomcat, but they can provide an patch or a maintenance release if the security flaw would affect an Atlassian installation. If you read their Security Bugfix Policy they would be required to if the exploit would affect the customer system or atlassian products as per their policy. The issue is just because there are exploits it may not be possible to exploit through Atlassian product installations, so Atlassian would not need to provide a fix. This point is where contention arises. This is another reason to follow Atlassian recommended installation steps. If you have a non-standard installation, they could say fix your installation instead of providing a patch or a release. https://www.atlassian.com/security/secpol With Bamboo, they would provide a maintenance release based upon the current security bugfix policy.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in Statuspage

How do your teams prepare for really high (planned) traffic days like Cyber Monday?

Hi there! Shannon from Statuspage here.  👋  With Cyber Monday quickly approaching, we're looking to hear from Atlassian customers – specifically from teams who touch incident response li...

34 views 0 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you