Bamboo Security Advisory 2010-05-04

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities in Bamboo, which may affect Bamboo instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of Bamboo.

• The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
• The attacker's text and script might be displayed to other people viewing a Bamboo page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

All version of Bamboo up to and including Bamboo 2.5.3 are susceptible to these vulnerabilities.

An attacker can inject their own malicious JavaScript code into areas of Bamboo listed in the table below. This code could be executed by simply entering the URL into the browser address bar or when a user performs a specific function in Bamboo, such as clicking a link or a button.

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix these vulnerabilities. Please see the 'fix' section below.

Fix

Bamboo 2.5.5 fixes these vulnerabilities. See the release notes and upgrade guide for more information about this release and changes to Bamboo's behaviour. You can download the latest version of Bamboo from the download centre.

There are no patches available to fix these vulnerabilities for previous versions of Bamboo.

General Tightening of the Bamboo Security Model

Severity

Atlassian rates one of these vulnerabilities as high and the other as moderate, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed two potential security vulnerabilities in Bamboo. These vulnerabilities have security implications that are especially important for anyone running publicly accessible instances of Bamboo.

An attacker, who has gained administrator access to a Bamboo instance, could set Bamboo's export, import and scheduled backup paths to a location within the Bamboo web application directory. Once this has been done, the attacker will be able to download any Bamboo data which has been exported or backed up by Bamboo. If you have followed standard guidelines for hardening your application servers, then your Bamboo instance should be less susceptible to this vulnerability. Therefore, we have provided an optional mechanism that prevents directory paths from being changed.

Bamboo does not set a maximum number of repeated login attempts. This makes Bamboo vulnerable to brute force attacks. Therefore, we have prevented brute force attacks by imposing a maximum number of repeated login attempts.

For Bamboo Standalone distributions, we have set Bamboo's session ID cookies to use the HttpOnly flag. This makes it more difficult for malicious (JavaScript) code on a client's browser to gain access to these session ID cookies, thereby minimising the risk of common XSS attacks.

Vulnerability

All version of Bamboo up to and including Bamboo 2.5.3 are susceptible to these vulnerabilities.

Please refer to the following JIRA issues for more information:

• BAM-5775 for restricting the ability to set Bamboo's file paths.
• BAM-5708 for brute force attack prevention in Bamboo.
• BAM-5668 for HttpOnly session ID cookies in Bamboo Standalone.

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix these vulnerabilities. Please see the 'fix' section below.

If you are running the Bamboo EAR-WAR distribution, then to minimise the risk of common XSS attacks, we strongly recommend that you configure the application server (Tomcat) running Bamboo to transmit session ID cookies using the HttpOnly flag. Please refer to Configuring Tomcat to Use HttpOnly Session ID Cookies for more information.

Fix

Bamboo 2.5.5 fixes these vulnerabilities. See the release notes and upgrade guide for more information about this release and changes to Bamboo's behaviour. You can download the latest version of Bamboo from the download centre.

There are no patches available to fix these vulnerabilities for previous versions of Bamboo.

Changed Behaviour in Bamboo

As a consequence of these security fixes, the following changes to Bamboo's default behaviour have occurred.

• When modifying Bamboo's 'File Path' option on the Export or Import administration pages or the 'Backup Path' option on the Scheduled Backup page, you can only change the name of files associated with these options (not the the actual file path component itself). To change these file path components, you must explicitly run Bamboo with the following system property:
  
  bamboo.paths.set.allowed=true
  
  Please refer to Configuring System Properties for details on how to run Bamboo with system properties.
  
  
• If you attempt to log in to Bamboo three times unsuccessfully, Bamboo will then require subsequent login attempts to be accompanied by text from a Captcha image.

For details about changes to Bamboo's behaviour as a result of these fixes to security vulnerabilities, please refer to the Bamboo 2.5.5 Upgrade Guide.