Bamboo Security Advisory 2014-05-21

 This advisory discloses a critical security vulnerability that we have found in Bamboo and fixed in a recent version of Bamboo.

  • Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations or apply the patch to fix this vulnerability.  
  • Atlassian OnDemand customers don't have to do anything; they have have been upgraded with the fix for the issue described in this advisory.
  • No other Atlassian products are affected.

The vulnerability affects all versions of Bamboo up to and including 5.5.

アトラシアンは製品セキュリティの向上に取り組んでいます。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com でサポート リクエストを起票してください。

ClassLoader manipulation vulnerability

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Bamboo web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Bamboo.

The vulnerability affects all versions of Bamboo up to and including 5.5. Bamboo 5.6 is not vulnerable. The issue is tracked in  BAM-14571 - Getting issue details... STATUS

Risk Mitigation

If you are unable to upgrade your Bamboo server you can do the following as a temporary workaround:

  • Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters. Note that the example does not account for any URL encoding that may be present.

    .*[?&](.*\.||.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

修正

This vulnerability can be fixed by upgrading Bamboo to version 5.4.3, 5.5.1, or the upcoming 5.6. There is also a patch available for this vulnerability for all supported versions of Bamboo. We recommend upgrading.

セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。  

Upgrading Bamboo

Upgrade to Bamboo 5.4.3, 5.5.1, 5.6 or a later version, which fixes this vulnerability. For a full description of these releases, see the Bamboo Release Notes. You can download these versions of Bamboo from the download centre.

Patches

We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy) as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Bamboo, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Bamboo and may work for unsupported versions as well.

  1. Download the patch file.

    バージョン
    Patch
    Tracking issue
    MD5
    Bamboo 5.1-5.5atlassian-xwork-12-1.17-xwork2-1.jar BAM-14571 - Getting issue details... STATUS
    478b5877510e34d11d09f8635e292564
    Bamboo pre-5.1atlassian-xwork-12-1.17.jar BAM-14571 - Getting issue details... STATUS
    1dd1308afdd146feafe626daee73e299
  2. Bamboo をシャットダウンします。
  3. Move file <BAMBOO_INSTALL>/atlassian-bamboo/WEB-INF/lib/atlassian-xwork-12-x.x.jar to a location outside the <Bamboo-INSTALL> folder.
  4. Add the downloaded patched jar file to folder <Bamboo-INSTALL>/atlassian-bamboo/WEB-INF/lib/.
  5. Start up Bamboo again.

最終更新日 2014 年 5 月 22 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.