Bamboo Security Advisory 2012-01-31

This advisory discloses two CRITICAL security vulnerabilities that exist in all versions of Bamboo up to and including 3.4.2. You need to upgrade your existing Bamboo installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project. Neither Bamboo Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

Code Injection Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as CRITICAL, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.

Description

We have identified and fixed a code injection vulnerability in Bamboo caused by an underlying vulnerability in the third-party Webwork 2 framework. This vulnerability allows an attacker to run arbitrary Java code on a Bamboo server with user privileges of a Bamboo process. This vulnerability is a variant of a recently disclosed Struts2 vulnerability. The vulnerability exists in pages accessible by non-privileged users and can also be exploited by use of social engineering, e.g. having a legitimate click on a specially crafted link.

The maintainer of the original library can be contacted at http://struts.apache.org/

Vulnerability

The table below describes the Bamboo version and the specific functionality affected by the Webwork 2 vulnerability.

Bamboo Component

Affected Bamboo Versions

Fixed Versions

Issue Tracking

Webwork 2All versions up to and including 3.4.2

3.3.4

3.4.3

BAM-10627

Risk Mitigation

We highly recommend that you upgrade your Bamboo installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to your instance of Bamboo by using a firewall.

Fix

Bamboo 3.4.3 and later versions fix this issue. View the issue linked above for information about fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.

If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

A binary patch for the Webwork 2 vulnerability is available for Bamboo versions 3.0 and later.  The patch is attached to the BAM-10627 tracking issue.

VulnerabilityPatchPatch File Name
Code injection vulnerability in third-party Webwork 2 framework used by BambooAttached to BAM-10627 issueSimpleConversionErrorInterceptor.zip

Applying the patch

If you are using Bamboo 3.0 or later:

  1. Download the SimpleConversionErrorInterceptor.zip file that is attached to the BAM-10627 issue.
  2. Stop Bamboo.
  3. Make a backup of the <bamboo_install_dir> directory.
  4. Create directories com/atlassian/bamboo/ww2/interceptors in the WEB-INF/classes directory, which can be found within your Bamboo installation.

  5. Unzip SimpleConversionErrorInterceptor.zip into com/atlassian/bamboo/ww2/interceptors:

    mkdir -p com/atlassian/bamboo/ww2/interceptors
    cd com/atlassian/bamboo/ww2/interceptors
    unzip SimpleConversionErrorInterceptor.zip 
  6. Add a reference to the new SimpleConversionErrorInterceptor in the xwork.xml file in WEB-INF/classes:

    <xwork>
    ...
    <interceptor name="conversionError" class="com.atlassian.bamboo.ww2.interceptors.SimpleConversionErrorInterceptor"/>
    ...
    </xwork>
  7. Restart Bamboo.

Arbitrary File Disclosure Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as CRITICAL, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.

Description

We have identified and fixed a vulnerability in Bamboo caused by a combination of issues in third-party libraries, including FreeMarker template library, used in Bamboo. This vulnerability allows an attacker to access any files on Bamboo server that are readable by the Bamboo server process. The attacker does not need to authenticate in order to exploit the vulnerability. The vulnerability is related to the previously disclosed FreeMarker issueThe vulnerability does not affect Bamboo installations using Tomcat as will usually be present only in Bamboo standalone.

Vulnerability

The table below describes the Bamboo versions and the specific functionality affected by the arbitrary file disclosure vulnerability.

Bamboo Component

Affected Bamboo Versions

Fixed Versions

Issue Tracking

FreeMarker

All versions up to and including 3.4.2

3.3.4

3.4.3

BAM-10628

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to your instance of Bamboo by using a firewall.

Fix

Bamboo 3.4.3  and later versions fix this issue. View the issue linked above for information about fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.

If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

A binary patch for the FreeMarker vulnerability is available for Bamboo versions 3.0 and later.  The patch is attached to the BAM-10628 tracking issue.

VulnerabilityPatchPatch File Name
File disclosure vulnerability in third-party FreeMarker template library used by BambooAttached to BAM-10628 issuefreemarker-2.3.16-atlassian-11.jar

Applying the patch

If you are using Bamboo 3.0 or later:

  1. Download the freemarker-2.3.16-atlassian-11.jar file that is attached to the BAM-10628 issue.
  2. Stop Bamboo.
  3. Make a backup of the <bamboo_install_dir> directory.
  4. Copy freemarker-2.3.16-atlassian-11.jar to WEB-INF/lib.

  5. Move the existing freemarker jar to a backed up location.

  6. Restart Bamboo.
Last modified on Aug 12, 2014

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.