Bamboo Security Advisory 2015-06-17
Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.
Date of Advisory:
CVE ID: CVE-2015-4136
脆弱性の概要
This advisory discloses a critical severity security vulnerability that exists in versions of the Bamboo Elastic Agent Windows Stock Image (Windows 2012) that were first made available in Bamboo 5.8.0.
Customers not using Elastic Bamboo or using stock images other than Windows 2012 (e.g. Windows 2008) are not affected.
Atlassian Cloud Bamboo instances have already been upgraded to use new AMI which does not have the issue described on this page.
Customers who have downloaded Bamboo Server 5.8.0 or 5.8.1 were only affected until , due to - BAM-15801Getting issue details... STATUS .
SSH Authorization permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI
深刻度
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
説明
In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access, it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user, an attacker would have access to any files used or generated as part of builds.
Your Bamboo Server builds may have been affected if all of the following conditions are true:
- Bamboo was running version 5.8.0 or 5.8.1 after the and before .
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
- The build was run before . (After the the bamboo user password expired which prevents the bamboo user from logging in.)
Your Bamboo Cloud builds may have been affected if all of the following conditions are true:
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible only if 'elasticbamboo' Security Group has been modified to exclude port 22.
- The build was run between and or between and .
修正
We have taken the following steps to address this issue:
- We have made the affected AMI private to coincide with the release of this advisory. Bamboo won't be able to start new instances of those AMI, generating an exception instead.
- Bamboo Cloud has been updated to use new AMI that are not vulnerable to this issue.
- Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.
Affected AMI
If you have created an AMI based upon any of the following AMI identifiers you should re-create your AMI. If you have a custom image configuration in Bamboo using one of following AMI, update the AMI id to a fixed one.
ami-0341fb1e
ami-03a9db39
ami-04ccf46c
ami-0ecaf813
ami-1cb0824e
ami-22033f3f
ami-23668567
ami-28ae5428
ami-31ec692c
ami-3f503148
ami-449faa16
ami-58667c1d
ami-5a300c47
ami-6697dd0e
ami-6ca79b04
ami-7606ff76
ami-79c1233d
ami-95a822e2
ami-975e75a7
ami-9df94780
ami-b182e5c6
ami-b65f6de4
ami-c5e305c5
ami-dbe295e1
ami-e3374ad9
ami-e93b11d9
ami-fb1c38cb
Fixed AMI
The following AMI include a fix for this issue and are not affected. You can use them to recreate your custom images.
These AMI are used in the stock images in Cloud and Bamboo version 5.9.0.
リージョン | AMI ID |
---|---|
Asia Pacific (Singapore) - ap-southeast-1 | ami-c21a2390 |
South America (Sao Paulo) - sa-east-1 | ami-f550d6e8 |
US East (N. Virginia) - us-east-1 | ami-50697038 |
EU (Frankfurt) - eu-central-1 | ami-e0f4cafd |
EU (Ireland) - eu-west-1 | ami-1f750268 |
US West (Oregon) - us-west-2 | ami-77764b47 |
Asia Pacific (Tokyo) - ap-northeast-1 | ami-b4f520b4 |
Asia Pacific (Sydney) - ap-southeast-2 | ami-fb81ffc1 |
US West (N. California) - us-west-1 | ami-6b3bd22f |
This issue can be tracked here: - BAM-16023Getting issue details... STATUS .
謝辞
We would like to credit Simon Huynh for reporting this issue to us.
サポート
この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。
参考
セキュリティ バグの修正ポリシー | Atlassian の新しいポリシーにあるように、重大なセキュリティ バグの修正は、Jira と Confluence のメジャー ソフトウェア バージョンで最大 12 か月さかのぼってバックポートされます。新しいポリシーに挙げるバージョンについては、バイナリ パッチではなく新しいメンテナンス リリースを提供します。 Binary patches will no longer be released. |
セキュリティの問題の重大度レベル | アトラシアンのセキュリティ勧告には深刻度レベルと CVE ID が含まれます。深刻度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細は FIRST.org でご確認ください。 |
サポート終了ポリシー | サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 |