Bamboo Security Advisory 2014-02-26

This advisory details a critical security vulnerability that we have found in Bamboo and fixed in recent versions of Bamboo.

  • Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations or apply the patches to fix these vulnerabilities.  
  • Atlassian OnDemand customers have been upgraded with the fixes for the issues described in this advisory.

The vulnerability affects all versions of Bamboo up to and including 5.2.1.

アトラシアンは製品セキュリティの向上に取り組んでいます。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com でサポート リクエストを起票してください。

ユーザー権限のエスカレーション

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in https://www.atlassian.com/security. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have identified and fixed a vulnerability in Bamboo which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your Bamboo web interface. 

A Bamboo server is only vulnerable if it has been configured to be a part of an Application link with Trusted Applications authentication. This is not the default configuration.

The vulnerability affects all supported versions of Bamboo up to and including 5.2.1. It has been fixed in 5.2.2. The issue is tracked in  BAM-14038 - Getting issue details... STATUS .

Risk Mitigation

If you are unable to upgrade or patch your Bamboo server you can do the following as a temporary workaround:

  • Block access to your Bamboo server web interface from untrusted networks, such as the Internet.
  • Remove any Application links that use Trusted Applications authentication and re-create them using OAuth.

修正

This vulnerability can be fixed by upgrading Bamboo. There is also a patch available for this vulnerability for all supported versions of Bamboo. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.

セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。  

Upgrading Bamboo

Upgrade to Bamboo 5.2.2, 5.1.2 or 5.0.2 or a later version, which fixes this vulnerability. For a full description of these releases, see the Bamboo Release Notes. You can download these versions of Bamboo from the  download centre.

Patches

We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy ) as an interim solution until you can upgrade. You should not continually patch your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, and we strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Bamboo, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Bamboo.

 

    1. Download the patch file.

      バージョン
      Patch
      MD5
      Bamboo 5.0.1patch_bamboo_5.0.1.tar.gz

      e5a2da7444104326ea70a01bf85fad31

      Bamboo 5.1.1patch_bamboo_5.1.1.tar.gz 

      00cc9a1928646efa82e882294ee06776

      Bamboo 5.2.1patch_bamboo_5.2.1.tar.gz 

      369692472d8b556e692a9459c9f6ecd7

  1. Shutdown Bamboo.
  2. For Bamboo 5.0.1 move files <Bamboo-INSTALL>/webapp/WEB-INF/lib to a location outside the <Bamboo-INSTALL> folder:
    1. applinks-api-3.11.0-m8.jar
    2. applinks-host-3.11.0-m8.jar
    3. applinks-spi-3.11.0-m8.jar
    4. atlassian-trusted-apps-core-2.5.2.jar
    5. atlassian-trusted-apps-seraph-integration-2.5.2.jar
    6. sal-api-2.9.1.jar
    7. sal-spi-2.9.1.jar
    8. sal-spring-2.9.1.jar
  3. For Bamboo 5.1.1 move files <Bamboo-INSTALL>/atlassian-bamboo/WEB-INF/lib to a location outside the <Bamboo-INSTALL> folder:
    1. applinks-api-4.0.0-m07.jar
    2. applinks-host-4.0.0-m07.jar
    3. applinks-spi-4.0.0-m07.jar
    4. atlassian-trusted-apps-core-2.5.2.jar
    5. atlassian-trusted-apps-seraph-integration-2.5.2.jar
    6. sal-api-2.10.2.jar
    7. sal-spi-2.10.2.jar
    8. sal-spring-2.10.2.jar
  4. For Bamboo 5.2.1 move files <Bamboo-INSTALL>/atlassian-bamboo/WEB-INF/lib to a location outside the <Bamboo-INSTALL> folder:
    1. applinks-api-4.0.3.jar
    2. applinks-host-4.0.3.jar
    3. applinks-spi-4.0.3.jar
    4. atlassian-trusted-apps-core-3.0.2.jar
    5. atlassian-trusted-apps-seraph-integration-3.0.2.jar
    6. sal-api-2.10.9.jar
    7. sal-spi-2.10.9.jar
    8. sal-spring-2.10.9.jar
  5. Unpack the downloaded patch content to folder WEB-INF/lib/.
  6. Start up Bamboo.

最終更新日 2015 年 8 月 28 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.