Dear customers,
We are writing to inform you of a recently discovered security vulnerability in Atlassian Bamboo. This security vulnerability is rated as CRITICAL. To fix this vulnerability, you should follow the instructions in the security advisory below.
Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory discloses a critical security vulnerability that exists in all versions of Bamboo up to and including 3.4.4.
* Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project.
* JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*Critical XML Parsing Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues (
http://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo. This vulnerability allows an attacker to:
* execute denial of service attacks against the Bamboo server, and
* read all local files readable to the system user under which Bamboo runs.
The attacker needs to have an account with the affected Bamboo server instance and be able to log in in order to execute the attack. All versions of Bamboo up to and including 3.4.4 are affected by this vulnerability. This issue can be tracked here:
https://jira.atlassian.com/browse/BAM-11316
Risk Mitigation -- We recommend that you upgrade your Bamboo installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade or apply patches immediately, you should do all of the following until you can upgrade or patch. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
* Disable public access, such as anonymous access (see
http://confluence.atlassian.com/display/BAMBOO/Allowing+anonymous+access+to+Bamboo) and public signup (see
http://confluence.atlassian.com/display/BAMBOO/Allowing+public+signup) to your Bamboo instance until you have applied the necessary patch or upgrade.
* Ensure that your Bamboo system user is restricted as described in best practices for Bamboo security (see
http://confluence.atlassian.com/display/BAMBOO/Best+practices+for+Bamboo+security).
Fix
Upgrade (recommended): Upgrade to Bamboo 4.0 or later, which fixes this vulnerability. For a full description of this release, see the Bamboo 4.0 release notes (
http://confluence.atlassian.com/display/BAMBOO/Bamboo+4.0+Release+Notes). The following releases have also been made available to fix this vulnerability in older Bamboo versions:
* Bamboo 3.3.4 for Bamboo 3.3.x
* Bamboo 3.4.5 for Bamboo 3.4.x
You can download these versions from the Bamboo download centre (
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa).
Patches (not recommended): Patches are only available for Bamboo 3.2.x - 3.4.x.
We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy at
http://confluence.atlassian.com/display/DOC/Security+Patch+Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly. If for some reason you cannot upgrade to the latest version of Bamboo, you must do
all of the following steps to fix the vulnerability described in this security advisory.
1. Download the atlassian-bundled-plugins.zip file that is attached to the BAM-11316 issue (at
https://jira.atlassian.com/browse/BAM-11316).
2. Stop Bamboo.
3. Make a backup of the <bamboo_install_dir> directory.
4. Copy atlassian-bundled-plugins.zip into webapp/WEB-INF/classes in the <bamboo_install_dir>, to replace the existing file of the same name.
5. Restart Bamboo.
Securely yours,
Atlassian
