Bamboo Security Advisory 2015-06-17
Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.
Date of Advisory:
CVE ID: CVE-2015-4136
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability that exists in versions of the Bamboo Elastic Agent Windows Stock Image (Windows 2012) that were first made available in Bamboo 5.8.0.
Customers not using Elastic Bamboo or using stock images other than Windows 2012 (e.g. Windows 2008) are not affected.
Atlassian Cloud Bamboo instances have already been upgraded to use new AMI which does not have the issue described on this page.
Customers who have downloaded Bamboo Server 5.8.0 or 5.8.1 were only affected until , due to - BAM-15801Getting issue details... STATUS .
SSH Authorization permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access, it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user, an attacker would have access to any files used or generated as part of builds.
Your Bamboo Server builds may have been affected if all of the following conditions are true:
- Bamboo was running version 5.8.0 or 5.8.1 after the and before .
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
- The build was run before . (After the the bamboo user password expired which prevents the bamboo user from logging in.)
Your Bamboo Cloud builds may have been affected if all of the following conditions are true:
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible only if 'elasticbamboo' Security Group has been modified to exclude port 22.
- The build was run between and or between and .
Fix
We have taken the following steps to address this issue:
- We have made the affected AMI private to coincide with the release of this advisory. Bamboo won't be able to start new instances of those AMI, generating an exception instead.
- Bamboo Cloud has been updated to use new AMI that are not vulnerable to this issue.
- Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.
Affected AMI
If you have created an AMI based upon any of the following AMI identifiers you should re-create your AMI. If you have a custom image configuration in Bamboo using one of following AMI, update the AMI id to a fixed one.
ami-0341fb1e
ami-03a9db39
ami-04ccf46c
ami-0ecaf813
ami-1cb0824e
ami-22033f3f
ami-23668567
ami-28ae5428
ami-31ec692c
ami-3f503148
ami-449faa16
ami-58667c1d
ami-5a300c47
ami-6697dd0e
ami-6ca79b04
ami-7606ff76
ami-79c1233d
ami-95a822e2
ami-975e75a7
ami-9df94780
ami-b182e5c6
ami-b65f6de4
ami-c5e305c5
ami-dbe295e1
ami-e3374ad9
ami-e93b11d9
ami-fb1c38cb
Fixed AMI
The following AMI include a fix for this issue and are not affected. You can use them to recreate your custom images.
These AMI are used in the stock images in Cloud and Bamboo version 5.9.0.
Region | AMI ID |
---|---|
Asia Pacific (Singapore) - ap-southeast-1 | ami-c21a2390 |
South America (Sao Paulo) - sa-east-1 | ami-f550d6e8 |
US East (N. Virginia) - us-east-1 | ami-50697038 |
EU (Frankfurt) - eu-central-1 | ami-e0f4cafd |
EU (Ireland) - eu-west-1 | ami-1f750268 |
US West (Oregon) - us-west-2 | ami-77764b47 |
Asia Pacific (Tokyo) - ap-northeast-1 | ami-b4f520b4 |
Asia Pacific (Sydney) - ap-southeast-2 | ami-fb81ffc1 |
US West (N. California) - us-west-1 | ami-6b3bd22f |
This issue can be tracked here: - BAM-16023Getting issue details... STATUS .
Acknowledgements
We would like to credit Simon Huynh for reporting this issue to us.
Support
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Security Bug fix Policy | As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches. Binary patches will no longer be released. |
Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |