Bamboo does not start with a java.lang.NoClassDefFoundError: PanwHooks exception
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The Bamboo Server or Bamboo Remote Agent fails to start with a java.lang.NoClassDefFoundError: PanwHooks exception.
Environment
Palo Alto Cortex XDR security software running on the Bamboo/remote agent server.
Diagnosis
This exception can be found in the<BAMBOO_HOME>/logs/atlassian-bamboo.logfile not long after starting Bamboo. On remote agents, it can be found in the <AGENT_HOME>/logs/atlassian-bamboo.log file.
1
2021-055-22 00:09:35,413 WARN [FelixStartLevel] [OsgiBundleXmlApplicationContext] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.beans.factory.config.PropertyPlaceholderConfigurer#0' defined in OSGi resource[bundle://2.0:0/META-INF/spring/extender/extender-configuration.xml|bnd.id=4|bnd.sym=org.eclipse.gemini.blueprint.extender]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: PanwHooksCause
This has been known to be caused by a security software Palo Alto Cortex XDR agent (a.k.a traps) injecting itself into Bamboo's JVM in an attempt to prevent deserialization exploits such as that found most recently in Log4j libraries.
Solution
Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and has determined thatnoAtlassian on-premises products are vulnerable to CVE-2021-44228. Please check the FAQ for CVE-2021-44228 for more detail.
After consulting with your internal security team, whitelist the Bamboo Java process in Cortex XDR and restart Bamboo.
You can create a Global Exception to allowlist a specific Java executable (jar, class) that you know to be benign directly from the Cortex XDR alert. The new Java Deserialization Exploit protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile. (Source)
Was this helpful?