Dear customers,
We are writing to inform you of a newly-discovered security vulnerability that we have found in Bamboo and fixed in a recent version of Bamboo.
* Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations to fix this vulnerability.
* Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
https://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-08-28
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security advisory ***
*OGNL Injection Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as Critical, according to the scale published in Severity Levels for Security Issues:
https://confluence.atlassian.com/display/BAMBOO/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability caused by the way WebWorks/Struts and Freemarker templates are used in Bamboo. The vulnerability allows a non-authenticated user to execute arbitrary Java methods in the JVM hosting the Bamboo application. This can be used to execute OS commands as the JVM user. All versions of Bamboo up to and including 4.0.1 are affected. This issue can be tracked here:
https://jira.atlassian.com/browse/BAM-12066. This vulnerability has been fixed in Bamboo 4.0.2. A patch is available for Bamboo 3.0 and above.
* Bamboo 4.x -- Fixed in 4.0.2
* Bamboo 3.x -- Patches available. See
https://jira.atlassian.com/browse/BAM-12066
Risk Mitigation -- If you cannot upgrade immediately, you should disable public access to your Bamboo instance to mitigate the risk of this vulnerability.
Fix -- The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to the latest version of Bamboo, if possible. For a full description of the latest version of Bamboo, see the release notes:
https://confluence.atlassian.com/display/BAMBOO/Bamboo+release+notes. You can download the latest version of Bamboo from the download centre:
http://www.atlassian.com/software/bamboo/BambooDownloadCenter.jspa.
Kind regards,
Atlassian