Bamboo Security Advisory 2015-06-17

Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.

Date of Advisory: 

CVE ID: CVE-2015-4136


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability that exists in versions of the Bamboo Elastic Agent Windows Stock Image (Windows 2012) that were first made available in Bamboo 5.8.0.

Customers not using Elastic Bamboo or using stock images other than Windows 2012 (e.g. Windows 2008) are not affected.

Atlassian Cloud Bamboo instances have already been upgraded to use new AMI which does not have the issue described on this page.

Customers who have downloaded Bamboo Server 5.8.0 or 5.8.1 were only affected until  , due to  BAM-15801 - Getting issue details... STATUS

SSH Authorization permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI


Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.


In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access, it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user, an attacker would have access to any files used or generated as part of builds.

Your Bamboo Server builds may have been affected if all of the following conditions are true:

  1. Bamboo was running version 5.8.0 or 5.8.1 after the  and before .
  2. A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
  3. The build was run before   . (After the  the bamboo user password expired which prevents the bamboo user from logging in.)

Your Bamboo Cloud builds may have been affected if all of the following conditions are true:

  1. A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible only if 'elasticbamboo' Security Group has been modified to exclude port 22.
  2. The build was run between   and    or between   and .


We have taken the following steps to address this issue:

  1. We have made the affected AMI private to coincide with the release of this advisory. Bamboo won't be able to start new instances of those AMI, generating an exception instead. 
  2. Bamboo Cloud has been updated to use new AMI that are not vulnerable to this issue.
  3. Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from

Affected AMI

If you have created an AMI based upon any of the following AMI identifiers you should re-create your AMI. If you have a custom image configuration in Bamboo using one of following AMI, update the AMI id to a fixed one.



Fixed AMI

The following AMI include a fix for this issue and are not affected. You can use them to recreate your custom images.

These AMI are used in the stock images in Cloud and Bamboo version 5.9.0.

Region AMI ID
Asia Pacific (Singapore) - ap-southeast-1 ami-c21a2390
South America (Sao Paulo) - sa-east-1 ami-f550d6e8
US East (N. Virginia) - us-east-1 ami-50697038
EU (Frankfurt) - eu-central-1 ami-e0f4cafd
EU (Ireland) eu-west-1 ami-1f750268
US West (Oregon) - us-west-2 ami-77764b47
Asia Pacific (Tokyo) - ap-northeast-1 ami-b4f520b4
Asia Pacific (Sydney) - ap-southeast-2 ami-fb81ffc1
US West (N. California) - us-west-1 ami-6b3bd22f


This issue can be tracked here:  BAM-16023 - Getting issue details... STATUS .


We would like to credit Simon Huynh for reporting this issue to us.



If you have questions or concerns regarding this advisory, please raise a support request at


Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released.
Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at
End of Life Policy  Our end of life policy varies for different products. Please refer to our EOL Policy for details. 



Last modified on Jun 17, 2015

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.