Dear customers,
We are writing to inform you of several recently discovered security vulnerabilities in Atlassian Bamboo. Six of these security vulnerabilities are rated as high; one is rated as medium. None are rated critical. To fix these vulnerabilities, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2011-11-22.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory announces a number of security vulnerabilities that we have found in recent versions of Bamboo prior to 3.3. You need to upgrade your existing Bamboo installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*XSS Vulnerabilities*
Severity -- Atlassian rates the severity level of all these vulnerabilities as high, according to the scale published in
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical.
Risk Assessment -- We have identified and fixed a number of reflected and stored cross-site scripting (XSS) vulnerabilities in Bamboo. XSS vulnerabilities allow an attacker to embed their own JavaScript into a Bamboo page. You can read more about XSS attacks at
http://www.cgisecurity.com/articles/xss-faq.shtml, http://projects.webappsec.org/Cross-Site+Scripting and other places on the web.
Vulnerability -- The list below describes the Bamboo versions and the specific functionality affected by the XSS vulnerabilities.
1) Vulnerability in User Picker: affects all versions earlier than Bamboo 2.7.4; fixed in Bamboo 2.7.4 and 3.0. See tracking issue
http://jira.atlassian.com/browse/BAM-10024.
2) Vulnerability in Default 'internal server error' page: affects all versions earlier than Bamboo 3.1; fixed in Bamboo 3.1. See tracking issue
http://jira.atlassian.com/browse/BAM-10026.
3) Vulnerability in viewAgent.action: affects all versions earlier than Bamboo 3.1; fixed in Bamboo 3.1. See tracking issue
http://jira.atlassian.com/browse/BAM-10027.
4) Vulnerability in configureAgents resource: affects all versions earlier than Bamboo 3.1; fixed in Bamboo 3.1. See tracking issue
http://jira.atlassian.com/browse/BAM-10028.
5) Vulnerability in chooseBuildsToMove.action: affects all versions earlier than Bamboo 3.1; fixed in Bamboo 3.1. See tracking issue
http://jira.atlassian.com/browse/BAM-10029.
Our thanks to Marian Ventuneac (
http://www.ventuneac.net/) who reported several of the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Risk Mitigation -- We recommend that you upgrade your Bamboo installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix -- Bamboo 3.1 and later versions fix all these issues. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Release+Notes). You can download the latest version of Bamboo from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa). There are no patches available to fix these vulnerabilities. You must upgrade your Bamboo installation.
*OS Command Injection Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as high, according to the scale published in
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.
Risk Assessment -- We have identified and fixed an OS command injection vulnerability in the third-party Perforce library used in Bamboo. This vulnerability allows an attacker to execute arbitrary OS commands on a Bamboo server as Bamboo user. The attacker needs to have plan edit rights. Only the servers that have Perforce integration enabled (i.e. have a Perforce capability defined on the server) can be exploited. You can read more about command injection attacks and consequences at OWASP (
https://www.owasp.org/index.php/OS_Command_Injection) and other places on the web. Note that if your server has local agents enabled, anyone who controls build plans is already capable of causing
arbitrary code to run locally as part of the normal build process, and this bug does not lead to any additional access. The maintainer of the original library can be contacted at
https://github.com/digerata/P4Java/.
Vulnerability -- The list below describes the Bamboo versions and the specific functionality affected by the OS command injection vulnerability.
1) OS command injection vulnerability in Perforce library: affects Bamboo 2.4 – 3.1; fixed in Bamboo 3.1.1 and 3.2. See tracking issue
http://jira.atlassian.com/browse/BAM-10030.
Risk Mitigation -- We recommend that you upgrade your Bamboo installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix -- Bamboo 3.2 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Release+Notes). You can download the latest version of Bamboo from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa). If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches -- If you are running Bamboo 2.4 – 3.1, you can apply the following library patch to fix the BAM-10030 vulnerability. We strongly recommend upgrading and not patching.
A patch for the OS command injection vulnerability in the Perforce library is available for Bamboo 2.4 – 3.1 and is attached to tracking issue BAM-10030.
Applying the patch -- If you are using Bamboo 2.4 – 3.1:
1) Download the p4java-0.7.5-atlassian-6.jar file that is attached to the BAM-10030 (
http://jira.atlassian.com/browse/BAM-10030) issue.
2) Stop Bamboo.
3) Make a backup of the <bamboo_install_dir> directory.
4) Copy the downloaded jar file into <bamboo_install_dir>/Bamboo/webapp/WEB-INF/lib, and delete the existing p4java jar file.
5) Restart Bamboo.
*Information Leakage Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as medium, according to the scale published in
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.
Risk Assessment -- We have identified and fixed an information leakage vulnerability in Bamboo. This vulnerability allows an attacker to view all directory listings (but not the content of the files) on the server readable by the Bamboo user.
Vulnerability -- The list below describes the Bamboo versions and the specific functionality affected by the information leakage vulnerability.
1) Information leakage vulnerability: affects Bamboo 2.0 – 3.2; fixed in Bamboo 3.2.3 and 3.3. See tracking issue
http://jira.atlassian.com/browse/BAM-10031.
Risk Mitigation -- We recommend that you upgrade your Bamboo installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix -- Bamboo 3.3 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Release+Notes). You can download the latest version of Bamboo from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa). There are no patches available to fix this vulnerability. You must upgrade your Bamboo installation.
Securely yours,
Atlassian
