Bamboo Security Advisory 2014-02-26
This advisory details a critical security vulnerability that we have found in Bamboo and fixed in recent versions of Bamboo.
- Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations or apply the patches to fix these vulnerabilities.
- Atlassian OnDemand customers have been upgraded with the fixes for the issues described in this advisory.
The vulnerability affects all versions of Bamboo up to and including 5.2.1.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
User privilege escalation
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in https://www.atlassian.com/security. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in Bamboo which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your Bamboo web interface.
A Bamboo server is only vulnerable if it has been configured to be a part of an Application link with Trusted Applications authentication. This is not the default configuration.
The vulnerability affects all supported versions of Bamboo up to and including 5.2.1. It has been fixed in 5.2.2. The issue is tracked in BAM-14038 - Getting issue details... STATUS .
Risk Mitigation
If you are unable to upgrade or patch your Bamboo server you can do the following as a temporary workaround:
- Block access to your Bamboo server web interface from untrusted networks, such as the Internet.
- Remove any Application links that use Trusted Applications authentication and re-create them using OAuth.
Fix
This vulnerability can be fixed by upgrading Bamboo. There is also a patch available for this vulnerability for all supported versions of Bamboo. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrading Bamboo
Upgrade to Bamboo 5.2.2, 5.1.2 or 5.0.2 or a later version, which fixes this vulnerability. For a full description of these releases, see the Bamboo Release Notes. You can download these versions of Bamboo from the download centre.
Patches
We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy ) as an interim solution until you can upgrade. You should not continually patch your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, and we strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Bamboo, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Bamboo.
Download the patch file.
VersionPatchMD5 Bamboo 5.0.1 patch_bamboo_5.0.1.tar.gz e5a2da7444104326ea70a01bf85fad31
Bamboo 5.1.1 patch_bamboo_5.1.1.tar.gz 00cc9a1928646efa82e882294ee06776
Bamboo 5.2.1 patch_bamboo_5.2.1.tar.gz 369692472d8b556e692a9459c9f6ecd7
- Shutdown Bamboo.
- For Bamboo 5.0.1 move files
<Bamboo-INSTALL>/webapp/WEB-INF/lib
to a location outside the<Bamboo-INSTALL>
folder:- applinks-api-3.11.0-m8.jar
- applinks-host-3.11.0-m8.jar
- applinks-spi-3.11.0-m8.jar
- atlassian-trusted-apps-core-2.5.2.jar
- atlassian-trusted-apps-seraph-integration-2.5.2.jar
- sal-api-2.9.1.jar
- sal-spi-2.9.1.jar
- sal-spring-2.9.1.jar
- For Bamboo 5.1.1 move files
<Bamboo-INSTALL>/atlassian-bamboo/WEB-INF/lib
to a location outside the<Bamboo-INSTALL>
folder:- applinks-api-4.0.0-m07.jar
- applinks-host-4.0.0-m07.jar
- applinks-spi-4.0.0-m07.jar
- atlassian-trusted-apps-core-2.5.2.jar
- atlassian-trusted-apps-seraph-integration-2.5.2.jar
- sal-api-2.10.2.jar
- sal-spi-2.10.2.jar
- sal-spring-2.10.2.jar
- For Bamboo 5.2.1 move files
<Bamboo-INSTALL>/atlassian-bamboo/WEB-INF/lib
to a location outside the<Bamboo-INSTALL>
folder:- applinks-api-4.0.3.jar
- applinks-host-4.0.3.jar
- applinks-spi-4.0.3.jar
- atlassian-trusted-apps-core-3.0.2.jar
- atlassian-trusted-apps-seraph-integration-3.0.2.jar
- sal-api-2.10.9.jar
- sal-spi-2.10.9.jar
- sal-spring-2.10.9.jar
- Unpack the downloaded patch content to folder
WEB-INF/lib/
. Start up Bamboo.