Bamboo Security Advisory 2015-06-17
Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.
Date of Advisory:
CVE ID: CVE-2015-4136
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability that exists in versions of the Bamboo Elastic Agent Windows Stock Image (Windows 2012) that were first made available in Bamboo 5.8.0.
Customers not using Elastic Bamboo or using stock images other than Windows 2012 (e.g. Windows 2008) are not affected.
Atlassian Cloud Bamboo instances have already been upgraded to use new AMI which does not have the issue described on this page.
SSH Authorization permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access, it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user, an attacker would have access to any files used or generated as part of builds.
Your Bamboo Server builds may have been affected if all of the following conditions are true:
- Bamboo was running version 5.8.0 or 5.8.1 after the and before .
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
- The build was run before . (After the the bamboo user password expired which prevents the bamboo user from logging in.)
Your Bamboo Cloud builds may have been affected if all of the following conditions are true:
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible only if 'elasticbamboo' Security Group has been modified to exclude port 22.
- The build was run between and or between and .
We have taken the following steps to address this issue:
- We have made the affected AMI private to coincide with the release of this advisory. Bamboo won't be able to start new instances of those AMI, generating an exception instead.
- Bamboo Cloud has been updated to use new AMI that are not vulnerable to this issue.
- Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.
If you have created an AMI based upon any of the following AMI identifiers you should re-create your AMI. If you have a custom image configuration in Bamboo using one of following AMI, update the AMI id to a fixed one.
ami-0341fb1e ami-03a9db39 ami-04ccf46c ami-0ecaf813 ami-1cb0824e ami-22033f3f ami-23668567 ami-28ae5428 ami-31ec692c ami-3f503148 ami-449faa16 ami-58667c1d ami-5a300c47 ami-6697dd0e ami-6ca79b04 ami-7606ff76 ami-79c1233d ami-95a822e2 ami-975e75a7 ami-9df94780 ami-b182e5c6 ami-b65f6de4 ami-c5e305c5 ami-dbe295e1 ami-e3374ad9 ami-e93b11d9 ami-fb1c38cb
The following AMI include a fix for this issue and are not affected. You can use them to recreate your custom images.
These AMI are used in the stock images in Cloud and Bamboo version 5.9.0.
|Asia Pacific (Singapore) - ap-southeast-1||ami-c21a2390|
|South America (Sao Paulo) - sa-east-1||ami-f550d6e8|
|US East (N. Virginia) - us-east-1||ami-50697038|
|EU (Frankfurt) - eu-central-1||ami-e0f4cafd|
|EU (Ireland) - eu-west-1||ami-1f750268|
|US West (Oregon) - us-west-2||ami-77764b47|
|Asia Pacific (Tokyo) - ap-northeast-1||ami-b4f520b4|
|Asia Pacific (Sydney) - ap-southeast-2||ami-fb81ffc1|
|US West (N. California) - us-west-1||ami-6b3bd22f|
We would like to credit Simon Huynh for reporting this issue to us.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
|Security Bug fix Policy||
As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.Binary patches will no longer be released.
|Severity Levels for security issues||Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|
|End of Life Policy||Our end of life policy varies for different products. Please refer to our EOL Policy for details.|