Summary

The Bamboo Server or Bamboo Remote Agent fails to start with a java.lang.NoClassDefFoundError: PanwHooks exception.

Environment

Palo Alto Cortex XDR security software running on the Bamboo/remote agent server.

Diagnosis

This exception can be found in the <BAMBOO_HOME>/logs/atlassian-bamboo.log file not long after starting Bamboo. On remote agents, it can be found in the <AGENT_HOME>/logs/atlassian-bamboo.log file.

2021-055-22 00:09:35,413 WARN [FelixStartLevel] [OsgiBundleXmlApplicationContext] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.beans.factory.config.PropertyPlaceholderConfigurer#0' defined in OSGi resource[bundle://2.0:0/META-INF/spring/extender/extender-configuration.xml|bnd.id=4|bnd.sym=org.eclipse.gemini.blueprint.extender]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: PanwHooks

Cause

This has been known to be caused by a security software Palo Alto Cortex XDR agent (a.k.a traps) injecting itself into Bamboo's JVM in an attempt to prevent deserialization exploits such as that found most recently in Log4j libraries.

Solution

Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and has determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228. Please check the FAQ for CVE-2021-44228 for more detail.

After consulting with your internal security team, whitelist the Bamboo Java process in Cortex XDR and restart Bamboo.

You can create a Global Exception to whitelist a specific Java executable (jar, class) that you know to be benign directly from the Cortex XDR alert. The new Java Deserialization Exploit protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.

Source