Bamboo does not start with a java.lang.NoClassDefFoundError: PanwHooks exception
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
The Bamboo Server or Bamboo Remote Agent fails to start with a java.lang.NoClassDefFoundError: PanwHooks
exception.
環境
Palo Alto Cortex XDR security software running on the Bamboo/remote agent server.
診断
This exception can be found in the <
BAMBOO_HOME>/logs/atlassian-bamboo.log
file not long after starting Bamboo. On remote agents, it can be found in the <AGENT_HOME>/logs/atlassian-bamboo.log
file.
2021-055-22 00:09:35,413 WARN [FelixStartLevel] [OsgiBundleXmlApplicationContext] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.beans.factory.config.PropertyPlaceholderConfigurer#0' defined in OSGi resource[bundle://2.0:0/META-INF/spring/extender/extender-configuration.xml|bnd.id=4|bnd.sym=org.eclipse.gemini.blueprint.extender]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: PanwHooks
原因
This has been known to be caused by a security software Palo Alto Cortex XDR agent (a.k.a traps) injecting itself into Bamboo's JVM in an attempt to prevent deserialization exploits such as that found most recently in Log4j libraries.
その他の情報
ソリューション
Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and has determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228. Please check the FAQ for CVE-2021-44228 for more detail.
After consulting with your internal security team, whitelist the Bamboo Java process in Cortex XDR and restart Bamboo.
You can create a Global Exception to whitelist a specific Java executable (jar, class) that you know to be benign directly from the Cortex XDR alert. The new Java Deserialization Exploit protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.
Source