Bamboo Security Advisory 2021-04-07

Summary

CVE-2020-27955 & CVE-2021-21237 - Remote Code Injection using Git LFS

Advisory Release Date

Apr 7, 2021 10:00 AM PDT (Pacific Time, -7 hours)

Product

Bamboo elastic agent AMI for Windows

Affected Versions

7.2.2 and earlier

Fixed Versions

7.2.3 and later

CVE ID(s)

CVE-2020-27955

CVE-2021-21237


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in Stock Elastic Windows Images shipped with version 7.2.2 of Bamboo for Windows. Both CVE-2020-27955 & CVE-2021-21237 refer to the same underlying vulnerability, Remote Code Injection using Git LFS. Bamboo Stock Elastic Windows Images shipped with versions of Bamboo for Windows before 7.2.3 (the fixed version for CVE-2020-27955 & CVE-2021-21237) are affected by this vulnerability.

Customers using the Bamboo Windows elastic agent AMI on version 7.2.3 are not affected.

Customers using Bamboo for any non-Windows OS are not affected.

Customers using the Bamboo Windows elastic agent AMI on version 7.2.2 or earlier

Please upgrade your installations immediately to fix this vulnerability.

  Customers using Bamboo for Windows

Ensure that git-lfs is updated to avoid being vulnerable. Refer to the advisories from Git, linked in “Vulnerability References”.

Remote Code Injection using Git LFS - CVE-2020-27955 & CVE-2021-21237

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.



Description

The vulnerability occurs if git-lfs operates on a malicious repository with a git.bat or git.exe file in the current directory, allowing an attacker to execute arbitrary code.

  1. run Git LFS on a on a malicious repository with a git.bat or git.exe file in the current directory

All versions of Bamboo for Windows up to and including 7.2.2 are affected by this vulnerability. This issue can be tracked here:

BAM-21267 - Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237) DRAFT

BAM-21284 - Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955) DRAFT


Vulnerability References



Fix

We have taken the following steps to address this issue:

  1. Released Bamboo for Windows version 7.2.3 that contains a fix for this issue.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bamboo for Windows, see the release note You can download the latest version of Bamboo for Windows from the download centre.

Upgrade Bamboo for Windows to version 7.2.3 or higher and update git-lfs on Windows

Customers using Bamboo for Windows need to update git-lfs on Windows to the latest version

Customers using Bamboo elastic agent AMI: Upgrade Bamboo for Windows to version 7.2.3


Mitigation

Update git and git-lfs on your system to the latest versions and use them in your existing Bamboo instance.


Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Apr 7, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.