Bamboo Security Advisory 2012-05-17

 This advisory discloses a critical security vulnerability that exists in all versions of Bamboo up to and including 3.4.4.

  • Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations to fix this vulnerability. 
  • Enterprise ホスト型のお客様は、「Enterprise ホスト型サポート」プロジェクトの http://support.atlassian.com で、サポート リクエストを送信してアップグレードをリクエストする必要があります。
  • Jira Studio および Atlassian OnDemand のお客様は、このアドバイザリに記載されている問題の影響を受けることはありません。

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com/ でサポート リクエストを起票してください。

In this advisory:

重大な XML 解析の脆弱性

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo.

This vulnerability allows an attacker to:

  • execute denial of service attacks against the Bamboo server, and
  • read all local files readable to the system user under which Bamboo runs.

The attacker needs to have an account with the affected Bamboo server instance and be able to log in in order to execute the attack.

All versions of Bamboo up to and including 3.4.4 are affected by this vulnerability. This issue can be tracked here: BAM-11316 - Getting issue details... STATUS

Risk Mitigation

We recommend that you upgrade your Bamboo installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade or apply patches immediately, you should do all of the following until you can upgrade or patch. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.

修正

Upgrade (recommended)

Upgrade to Bamboo 4.0 or later which fixes this vulnerability. For a full description of this release, see the Bamboo 4.0 release notes. The following releases have also been made available to fix this vulnerability in older Bamboo versions: 

  • Bamboo 3.3.4 for Bamboo 3.3.x 
  • Bamboo 3.4.5 for Bamboo 3.4.x

You can download these versions from the Bamboo download centre.

Patches (not recommended)

Patches are only available for Bamboo 3.2.x - 3.4.x. We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Bamboo, you must do all of the following steps to fix the vulnerability described in this security advisory.

  1. Download the file http://www.atlassian.com/software/bamboo/downloads/binary/patch-BAM11316-3.2-atlassian-bundled-plugins.zip
  2. Rename the file to atlassian-bundled-plugins.zip
  3. Stop Bamboo.
  4. Make a backup of the <bamboo_install_dir> directory. 

  5. Copy atlassian-bundled-plugins.zip into webapp/WEB-INF/classes in the <bamboo_install_dir>, to replace the existing file of the same name.

  6. Bamboo を再起動します。
最終更新日 2012 年 5 月 17 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.