This advisory discloses a number of security vulnerabilities that we have found in versions of Bamboo prior to 3.3. You need to upgrade your existing Bamboo installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project. Neither Bamboo Studio nor OnDemand are vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates the severity level of all these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical.

Risk Assessment

We have identified and fixed a number of reflected and stored cross-site scripting (XSS) vulnerabilities in Bamboo. XSS vulnerabilities allow an attacker to embed their own JavaScript into a Bamboo page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.

Vulnerability

The table below describes the Bamboo versions and the specific functionality affected by the XSS vulnerabilities.

Bamboo Feature

Affected Bamboo Versions

Fixed Version

Issue Tracking

User Pickerall earlier than 2.7.42.7.4, 3.0BAM-10024
Default 'internal server error' page all earlier than 3.1  3.1BAM-10026
viewAgent.action  all earlier than 3.1 3.1BAM-10027
configureAgents resourceall earlier than 3.13.1BAM-10028
chooseBuildsToMove.actionall earlier than 3.13.1BAM-10029

Our thanks to Marian Ventuneac (http://www.ventuneac.net) who reported several of the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.

Fix

Bamboo 3.1 and later versions fix all these issues. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.

There are no patches available to fix these vulnerabilities. You must upgrade your Bamboo installation.

OS Command Injection Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.

Risk Assessment

We have identified and fixed an OS command injection vulnerability in the third-party Perforce library used in Bamboo. This vulnerability allows an attacker to execute arbitrary OS commands on a Bamboo server as Bamboo user. The attacker needs to have plan edit rights. Only the servers that have Perforce integration enabled (i.e. have a Perforce capability defined on the server) can be exploited. You can read more about command injection attacks and consequences at OWASP and other places on the web.

Note that if your server has local agents enabled, anyone who controls build plans is already capable of causing arbitrary code to run locally as part of the normal build process, and this bug does not lead to any additional access.

The maintainer of the original library can be contacted at https://github.com/digerata/P4Java/

Vulnerability

The table below describes the Bamboo versions and the specific functionality affected by the OS command injection vulnerability.

Bamboo Feature

Affected Bamboo Versions

Fixed Version

Issue Tracking

OS command injection vulnerability in Perforce library

2.4 – 3.1

3.1.1, 3.2

BAM-10030

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.

Fix

Bamboo 3.2 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.

If you cannot upgrade to the latest version of Bamboo, you can patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

If you are running Bamboo 2.4 – 3.1, you can apply the following library patch to fix the BAM-10030 vulnerability. We strongly recommend upgrading and not patching.

Vulnerability

Patch

Patch File Name

OS command injection vulnerability in Perforce library used by Bamboo

Attached to issue BAM-10030

p4java-0.7.5-atlassian-6.jar

Patch Procedure: Install the Patch

A patch is available for Bamboo 2.4 – 3.1.

The patch addresses the following issue:

  • OS command injection vulnerability in Perforce library used by Bamboo (BAM-10030).
Applying the patch

If you are using Bamboo 2.4 – 3.1:

  1. Download the p4java-0.7.5-atlassian-6.jar file that is attached to the BAM-10030 issue.
  2. Stop Bamboo.
  3. Make a backup of the <bamboo_install_dir> directory.
  4. Copy the downloaded jar file into <bamboo_install_dir>/Bamboo/webapp/WEB-INF/lib, and delete the existing p4java jar file.
  5. Restart Bamboo.

Information Leakage Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical.

Risk Assessment

We have identified and fixed an information leakage vulnerability in Bamboo. This vulnerability allows an attacker to view all directory listings (but not the content of the files) on the server readable by the Bamboo user.

Vulnerability

The table below describes the Bamboo versions and the specific functionality affected by the information leakage vulnerability.

Bamboo Feature

Affected Bamboo Versions

Fixed Version

Issue Tracking

Information leakage

2.0 – 3.2

3.2.3, 3.3

BAM-10031

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.

Fix

Bamboo 3.3 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of the latest version of Bamboo, see the release notes. You can download the latest version of Bamboo from the Bamboo download centre.

There are no patches available to fix this vulnerability. You must upgrade your Bamboo installation.