要約

Some security vulnerability scan reports that the Bamboo application allows to transmission of Cleartext Credentials.

診断

• The Bamboo application has not been secured with SSL using Tomcat.
• The non-SSL connectors are still accessible eg: Access to http://localhost:8085 or http://<bamboo-hostname>:8085/ is still available

The vulnerability scan sample report will be like the below:

Finding Name: Web Server Transmits Cleartext Credentials
Finding Description: The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext.
An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

原因

Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8085) are still available. Now you need to redirect the URLs to their HTTPS equivalent.

Solution 1: Redirect the URL to HTTPS

• Please make sure you have secured with SSL using Tomcat.
• You will redirect the URL to HTTPS by adding a security constraint in web.xml. This will cause Tomcat to redirect requests on a non-SSL port. Refer to this article on How to setup redirect from HTTP to HTTPS port in Bamboo 

Solution 2: Remove the HTTP listener and access Bamboo via HTTPS 

• Please make sure you have secured with SSL using Tomcat.
• Remove the HTTP listener configuration and make sure the load-balancer, Base URL are updated accordingly to use the HTTPS

 Adding the security constraint to redirect all URLs to HTTPS will redirect your HTTP 8085 requests and mitigate your scanner report.