Dear customers,
We are writing to inform you of two recently discovered security vulnerabilities in Atlassian Bamboo. Both of these security vulnerabilities are rated as CRITICAL. To fix these vulnerabilities, you should follow the instructions in the security advisory below.
Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-01-31.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory discloses two CRITICAL security vulnerabilities that exist in versions of Bamboo up to and including 3.4.2. You need to upgrade your existing Bamboo installations to fix these vulnerabilities.
Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project. Neither Bamboo Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*Code Injection Vulnerability*
- Severity -- Atlassian rates the severity level of this vulnerability as CRITICAL, according to the scale published in
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low.
- Description -- We have identified and fixed a vulnerability in Bamboo caused by a combination of issues in third-party libraries, including FreeMarker template library, used in Bamboo. This vulnerability allows an attacker to access any files on Bamboo server that are readable by the Bamboo server process. The attacker does not need to authenticate in order to exploit the vulnerability. The vulnerability is related to the previously disclosed FreeMarker issue. The vulnerability does not affect Bamboo installations using Tomcat as will usually be present only in Bamboo standalone.
- Vulnerability -- The list below describes the Bamboo version and the specific functionality affected by the Webwork 2 vulnerability.
1) Webwork 2 vulnerability: affects Bamboo versions up to and including 3.4.2; fixed in Bamboo versions 3.3.4 and 3.4.3. See tracking issue
https://jira.atlassian.com/browse/BAM-10627.
- Risk Mitigation -- We highly recommend that you upgrade your Bamboo installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to your instance of Bamboo by using a firewall.
- Fix -- Bamboo 3.4.3 and later versions fix this issue. View the tracking issue above for information about fix versions. For a full description of the latest version of Bamboo, see the release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Release+Notes). You can download the latest version of Bamboo from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa). If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
- Patches -- A binary patch for the Webwork 2 vulnerability is available for Bamboo versions 3.0 and later. The patch (SimpleConversionErrorInterceptor.zip) is attached to the BAM-10627 tracking issue (
https://jira.atlassian.com/browse/BAM-10627).
- Applying the patch -- If you are using Bamboo 3.0 or later:
1) Download the SimpleConversionErrorInterceptor.zip file that is attached to the BAM-10627 issue (
https://jira.atlassian.com/browse/BAM-10627).
2) Stop Bamboo.
3) Make a backup of the <bamboo_install_dir> directory.
4) Create directories com/atlassian/bamboo/ww2/interceptors in the WEB-INF/classes directory, which can be found within your Bamboo installation.
5) Unzip SimpleConversionErrorInterceptor.zip into com/atlassian/bamboo/ww2/interceptors:
mkdir -p com/atlassian/bamboo/ww2/interceptors
cd com/atlassian/bamboo/ww2/interceptors
unzip SimpleConversionErrorInterceptor.zip
6) Add a reference to the new SimpleConversionErrorInterceptor in the xwork.xml file in WEB-INF/classes:
<xwork>
...
<interceptor name="conversionError" class="com.atlassian.bamboo.ww2.interceptors.SimpleConversionErrorInterceptor"/>
...
</xwork>
7) Restart Bamboo.
*Arbitrary File Disclosure Vulnerability*
- Severity -- Atlassian rates the severity level of this vulnerability as CRITICAL, according to the scale published in
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low.
- Description -- We have identified and fixed a vulnerability in Bamboo caused by an underlying vulnerability in the third-party FreeMarker template library used in Bamboo. This vulnerability allows an attacker to access any files on Bamboo server that are readable by the Bamboo server process. The attacker does not need to authenticate in order to exploit the vulnerability. The vulnerability is related to the previously disclosed FreeMarker issue (
http://freemarker.sourceforge.net/docs/versions_2_3_17.html#autoid_137). The maintainer of the original library can be contacted at
http://freemarker.sourceforge.net/
- Vulnerability -- The list below describes the Bamboo versions and the specific functionality affected by the arbitrary file disclosure vulnerability.
1) Vulnerability in the third-party FreeMarker template library: affects Bamboo versions up to and including 3.4.2; fixed in Bamboo versions 3.3.4 and 3.4.3. See tracking issue
https://jira.atlassian.com/browse/BAM-10628.
- Risk Mitigation -- We recommend that you upgrade your Bamboo installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to your instance of Bamboo by using a firewall.
- Fix -- Bamboo 3.4.3 and later versions fix this issue. View the tracking issue above for information about fix versions. For a full description of the latest version of Bamboo, see the release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Release+Notes). You can download the latest version of Bamboo from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa). If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
- Patches -- A binary patch for the FreeMarker vulnerability is available for Bamboo versions 3.0 and later. The patch (freemarker-2.3.16-atlassian-11.jar) is attached to the BAM-10628 tracking issue (
https://jira.atlassian.com/browse/BAM-10628).
- Applying the patch -- If you are using Bamboo 3.0 or later:
1) Download the freemarker-2.3.16-atlassian-11.jar file that is attached to the BAM-10628 issue (
https://jira.atlassian.com/browse/BAM-10628).
2) Stop Bamboo.
3) Make a backup of the <bamboo_install_dir> directory.
4) Copy freemarker-2.3.16-atlassian-11.jar to WEB-INF/lib.
5) Move the existing freemarker jar to a backed up location.
6) Restart Bamboo.
Securely yours,
Atlassian
