Bamboo Security Advisory 2015-01-21
Note: As of September 2014, we no longer provide binary bug patches Instead we create new maintenance releases for the major versions we backport to. Please see our Security Bug fix Policy for more details. As this policy is new and in transition, in this instance we have also provided patches for Bamboo versions from 5.1 to 5.7.
Date of Advisory: 21st January 2015
Product: Atlassian Bamboo
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability that exists in all versions of Bamboo up to and including 5.7.
Atlassian Cloud customers are not affected by any of the issues described in this advisory.
- Customers who have downloaded Bamboo Server should upgrade their existing Bamboo installations to fix this vulnerability.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered internally by Atlassian.
OGNL Double Evaluation Vulnerability
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We have discovered and fixed a vulnerability in our fork of one of Apache Struts libraries. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Bamboo web interface.
All versions of Bamboo up to and including 5.7 are affected by this vulnerability. This issue can be tracked here: BAM-15427 - OGNL Double Evaluation Vulnerability Resolved
If you are unable to upgrade your Bamboo server you can do the following as a temporary workaround:
- Block access to your Bamboo server web interface from untrusted networks, such as the Internet.
Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters.
Version 5.6.x - release 5.6.3 and any subsequent newer releases in 5.6.x line are available to fix the vulnerability.
Version 5.7.x - release 5.7.1 and any subsequent newer releases are available to fix the vulnerability for version 5.7.
You can download these releases from:
The vulnerabilities and fix versions are described in the sections above.
Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of Bamboo, see the its release notes.
It is advised that you upgrade to the latest version of Bamboo, as there are no longer binary patches made available.
As this policy is new and in transition, in this instance we have also provided patches for Bamboo versions from 5.1 to 5.7.
You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Bamboo, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for Bamboo versions from 5.1 to 5.7.
Patching supported versions of Bamboo 5.1 - 5.7
Download the patch file.
Version Patch MD5 5.1-5.7 freemarker-2.3.16-atlassian-34.jar b8d860107ccbfd5bf13df478fbfce5bb
- Shut down Bamboo.
- Replace the file WEB-INF/lib/freemarker-2.3.16-atlassian-23.jar with the jar you've downloaded.
- Make sure you've removed the freemarker-2.3.16-atlassian-23.jar file from WEB-INF/lib directory.
- Start Bamboo.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
|Security Bug fix Policy||
As per our new policy, critical security bug fixes will be back ported to major software versions for up to 12 months for Bamboo. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.Binary patches will no longer be released.
|Severity Levels for security issues||Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|