Skip to end of metadata
Go to start of metadata

This advisory discloses a security vulnerability that we have found in Bamboo and fixed in a recent version of Bamboo.

  • Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations to fix this vulnerability.  
  • Atlassian OnDemand customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security.

The vulnerability listed in this advisory is a vulnerability in a third-party framework - Struts 2 / WebWork 2 that is used by Bamboo. The vulnerability has been independently discovered by Atlassian and reported to the Struts maintainers.

More details about the underlying Struts vulnerability CVE-2013-2251 are available at the CVE database and in the Struts advisory.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

OGNL injection in WebWork 2

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed a vulnerability in the third-party web framework WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In the case of Bamboo, the attacker needs to be able to access the Bamboo web interface. A valid user account is not required to exploit this vulnerability.

Customers should be advised that this affects all versions of Bamboo, except Bamboo OnDemand, Bamboo 4.3.4 and Bamboo 4.4.8 or later.  Bamboo 5.0 is not affected. The issue can be tracked here: BAM-13387 - Webwork 2 code injection vulnerability Resolved

Risk Mitigation

If you are unable to upgrade or patch your Bamboo server: as a temporary workaround, you can do the following:

  • Block access to all URLs on a Web Application Firewall or a reverse proxy that contain any of the following strings: "redirect:", "action:" or "redirect-action:" strings. A partial example for an nginx server is below. Note that the example only covers the "redirect:" prefix and does not account for any URL encoding that may be present.

or

  • Block access to your Bamboo server from untrusted networks, such as the Internet.

Fix

This vulnerability can be fixed by upgrading Bamboo to either version 4.3.4, 4.4.8 or later. There are no patches available for this vulnerability — for any questions, please raise a support request at http://support.atlassian.com/.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading Bamboo

The fix versions for this vulnerability are described in the 'Description' section above.

We recommend that you upgrade to the latest version of Bamboo. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the download centre.

  • No labels

3 Comments

  1. This advisory is very poorly structured.  The affected version information should have been disclosed MUCH sooner and a recommended course of action for users of specific versions should have been provided.  There are no release notes in the left-hand nav tree for anything beyond 4.4.5 and it was only after visiting the download archive that I discovered that 4.4.8 was even available.  Apparently, it was silently released.  Bad form, Atlassian.

    1. (smile) they really really really really want everyone to go to 5.0.  There's good stuff in 5.0 if you haven't looked at it yet.

      Anyhow, I agree that 4.4.8 as a solution should have been disclosed since it presents a much lower risk in migration.  I am curious as to why the release notes were'nt updated...

      1. 4.4.8 is the only 4.4.x release with a fix for this vulnerability. It has been released just today, and announced with this advisory.

        4.4.6 and 4.4.7 were internal releases without user visible changes.

        Atlassian is committed to providing security fixes per Atlassian Security Policies . We are providing fixes for all supported releases (in this case: also 4.4 and 4.3) and we are not pushing anyone to get the latest release, knowing that a major upgrade requires careful planning.

        Mike, I will forward your suggestions about advisory structure and downloads discoverability to our doc team.

        And yes, there's good stuff in 5.0.