FAQ for CVE-2023-46604
General Information
Bamboo Data Center and Server utilizes a third-party library ActiveMQ as part of its core services. Apache Active MQ has published a vulnerability (CVE-2023-46604) that allows Remote Code Execution (RCE).
This page contains answers to frequently asked questions about this vulnerability. The Atlassian Security Team will update this page whenever new information becomes available.
Is my Bamboo instance affected?
All versions of Bamboo Server and Bamboo Data Center are affected by this vulnerability.
Atlassian strongly recommends that you patch each of your affected installations to one of the listed fixed versions (or any later version) below.
Product | Fixed Versions |
---|---|
Bamboo Server and Bamboo Data Center |
|
Are other Atlassian products affected by CVE-2023-46604?
No other Atlassian products (Server, Data Center or Cloud) are affected by CVE-2023-46604. No action is required for other products.
Does patching to a fixed version completely solve the issue?
While the latest patch remediates the vulnerability CVE (CVE-2023-46604), we are unable to confirm if there has been any malicious activity on your instance prior to applying the patch.
We recommend engaging with your local security team to investigate if your instance was compromised prior to patching.
What is the ActiveMQ Broker in Bamboo responsible for?
Bamboo makes use of ActiveMQ as its Java Messaging Service and the ActiveMQ broker is a service that is responsible for managing the communication between the Bamboo server and its agents.
I am running an affected version of Bamboo. How can I mitigate the threat until I upgrade?
For customers who are unable to immediately patch their Bamboo Data Center and Server instances, we recommend the following steps to reduce the risk:
- Limit network access to Bamboo’s ActiveMQ ports (default TCP/54663, TCP/54664 and TCP/54665) only to trusted sources.
- Ensure that only authorized Agents' IP addresses can establish a connection to such ports.
- Restrict outgoing connections from the Bamboo server only to IP addresses and URLs that are part of Bamboo's daily activities, for example, external Git Repositories and https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products
- Where you have a Load Balancer in front of your Bamboo instance, make sure that the same network restrictions applied to the main ActiveMQ ports in Bamboo are also applied there accordingly.
Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible.
Check the How can I identify which port my Bamboo ActiveMQ is listening on? section for more information on how to confirm your Bamboo’s ActiveMQ ports configuration.
Do I have to upgrade my Bamboo Agents?
No. While agents contain the vulnerable library, the vulnerability is only exploitable on the Bamboo Server instance side. Agents will get automatically updated once they detect a new Bamboo version.
Do I need to take any action to restrict traffic to the agent servers?
While agents contain the vulnerable library, the vulnerability is only exploitable on the Bamboo Server instance side. No network restrictions need to be applied on the agent side and the library will be automatically upgraded when the agent connects to an upgraded/fixed Bamboo server.
Can we determine if Bamboo has already been compromised?
Atlassian cannot confirm if your instances have been affected by this vulnerability. You should engage your local security team to check all affected Bamboo instances for evidence of compromise.
Evidence of compromise may include:
- loss of login access to the instance
- unusual activity in the network access logs
- installed unknown plugins
- encrypted files or corrupted data
- unexpected members of the
bamboo-administrators
group - unexpected newly created user accounts
If any evidence is found, you should assume that your instance has been compromised and follow your security incident response plan.
How can I identify which port my Bamboo ActiveMQ is listening on?
Bamboo assigns ports TCP/54663
, TCP/54664
and TCP/54665
to the ActiveMQ service by default. Those ports can be customised by customers.
You can identify the ports for your instance by either the Bamboo config file or the Bamboo web interface:
- Bamboo config file:
- Go to Bamboo's
<bamboo-home>/bamboo.cfg.xml
file and locate thebamboo.jms.broker.uri
property:
- Go to Bamboo's
<property name="bamboo.jms.broker.uri">nio://0.0.0.0:54663?wireFormat.maxInactivityDuration=90000&transport.soWriteTimeout=45000</property>
Bamboo web interface:
Go to the Bamboo web interface:
Bamboo Administration >> General Configuration >> Bamboo JMS broker configuration >> Broker URL
Additionally, is important to understand that Bamboo will launch additional ActiveMQ connectors on an extra port to meet its internal requirements, which include:
- The main JMS connector, for instance, port 54663.
- The SSL JMS Connector, which is the main connector port plus one, for example, port 54664.
- The Elastic Agents JMS connector, which is the main connector port plus two, for example, port 54665.
Refer to the I am running an affected version of Bamboo. How can I mitigate the threat until I upgrade? section for the next steps to implement the mitigation if you are unable to apply the patch immediately.
My instance isn't exposed to the Internet. Is a patch still recommended?
We still strongly recommend applying the latest patch, as listed on the Bamboo Security Advisory page for CVE-2023-46604.
If the Bamboo instance cannot be accessed from the internet the risk of an exploit is reduced.
My instance has been compromised, what should I do?
You need to immediately shut down the instance and disconnect the server from the internet.
You will then need to engage your local security team to review any post-exploit malicious activity and determine your recovery options.
Review the Can we determine if Bamboo has already been compromised? section for potential indicators of compromise.
What if I don’t have a local security team?
We recommend engaging a specialist security firm for further investigation.