Bamboo Security Advisory 2011-11-22
This advisory discloses a number of security vulnerabilities that we have found in versions of Bamboo prior to 3.3. You need to upgrade your existing Bamboo installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
XSS Vulnerabilities
Severity
Atlassian rates the severity level of all these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical.
Risk Assessment
We have identified and fixed a number of reflected and stored cross-site scripting (XSS) vulnerabilities in Bamboo. XSS vulnerabilities allow an attacker to embed their own JavaScript into a Bamboo page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.
Vulnerability
The table below describes the Bamboo versions and the specific functionality affected by the XSS vulnerabilities.
Bamboo Feature | Affected Bamboo Versions | Fixed Version | Issue Tracking |
|---|---|---|---|
| User Picker | all earlier than 2.7.4 | 2.7.4, 3.0 | BAM-10024 |
| Default 'internal server error' page | all earlier than 3.1 | 3.1 | BAM-10026 |
| viewAgent.action | all earlier than 3.1 | 3.1 | BAM-10027 |
| configureAgents resource | all earlier than 3.1 | 3.1 | BAM-10028 |
| chooseBuildsToMove.action | all earlier than 3.1 | 3.1 | BAM-10029 |
Our thanks to Marian Ventuneac (http://www.ventuneac.net) who reported several of the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Risk Mitigation
We recommend that you upgrade your Bamboo installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix
Bamboo 3.1 and later versions fix all these issues. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.
There are no patches available to fix these vulnerabilities. You must upgrade your Bamboo installation.
OS Command Injection Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.
Risk Assessment
We have identified and fixed an OS command injection vulnerability in the third-party Perforce library used in Bamboo. This vulnerability allows an attacker to execute arbitrary OS commands on a Bamboo server as Bamboo user. The attacker needs to have plan edit rights. Only the servers that have Perforce integration enabled (i.e. have a Perforce capability defined on the server) can be exploited. You can read more about command injection attacks and consequences at OWASP and other places on the web.
Note that if your server has local agents enabled, anyone who controls build plans is already capable of causing arbitrary code to run locally as part of the normal build process, and this bug does not lead to any additional access.
The maintainer of the original library can be contacted at https://github.com/digerata/P4Java/
Vulnerability
The table below describes the Bamboo versions and the specific functionality affected by the OS command injection vulnerability.
Bamboo Feature | Affected Bamboo Versions | Fixed Version | Issue Tracking |
|---|---|---|---|
OS command injection vulnerability in Perforce library | 2.4 – 3.1 | 3.1.1, 3.2 |
Risk Mitigation
We recommend that you upgrade your Bamboo installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix
Bamboo 3.2 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.
If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches
If you are running Bamboo 2.4 – 3.1, you can apply the following library patch to fix the BAM-10030 vulnerability. We strongly recommend upgrading and not patching.
Vulnerability | Patch | Patch File Name |
|---|---|---|
OS command injection vulnerability in Perforce library used by Bamboo | Attached to issue BAM-10030 |
Patch Procedure: Install the Patch
A patch is available for Bamboo 2.4 – 3.1.
The patch addresses the following issue:
- OS command injection vulnerability in Perforce library used by Bamboo (BAM-10030).
Applying the patch
If you are using Bamboo 2.4 – 3.1:
- Download the p4java-0.7.5-atlassian-6.jar file that is attached to the BAM-10030 issue.
- Stop Bamboo.
- Make a backup of the <bamboo_install_dir> directory.
- Copy the downloaded jar file into <bamboo_install_dir>/Bamboo/webapp/WEB-INF/lib, and delete the existing p4java jar file.
- Restart Bamboo.
Information Leakage Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.
Risk Assessment
We have identified and fixed an information leakage vulnerability in Bamboo. This vulnerability allows an attacker to view all directory listings (but not the content of the files) on the server readable by the Bamboo user.
Vulnerability
The table below describes the Bamboo versions and the specific functionality affected by the information leakage vulnerability.
Bamboo Feature | Affected Bamboo Versions | Fixed Version | Issue Tracking |
|---|---|---|---|
Information leakage | 2.0 – 3.2 | 3.2.3, 3.3 |
Risk Mitigation
We recommend that you upgrade your Bamboo installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Fix
Bamboo 3.3 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.
There are no patches available to fix this vulnerability. You must upgrade your Bamboo installation.