Bamboo Security Advisory 2012-05-17
This advisory discloses a critical security vulnerability that exists in all versions of Bamboo up to and including 3.4.4.
- Customers who have downloaded and installed Bamboo should upgrade their existing Bamboo installations to fix this vulnerability.
- Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
- JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Critical XML Parsing Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo.
This vulnerability allows an attacker to:
- execute denial of service attacks against the Bamboo server, and
- read all local files readable to the system user under which Bamboo runs.
The attacker needs to have an account with the affected Bamboo server instance and be able to log in in order to execute the attack.
All versions of Bamboo up to and including 3.4.4 are affected by this vulnerability. This issue can be tracked here: BAM-11316 - Getting issue details... STATUS
Risk Mitigation
We recommend that you upgrade your Bamboo installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade or apply patches immediately, you should do all of the following until you can upgrade or patch. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
- Disable public access (such as anonymous access and public signup ) to your Bamboo instance until you have applied the necessary patch or upgrade.
- Ensure that your Bamboo system user is restricted as described in best practices for Bamboo security.
Fix
Upgrade (recommended)
Upgrade to Bamboo 4.0 or later which fixes this vulnerability. For a full description of this release, see the Bamboo 4.0 release notes. The following releases have also been made available to fix this vulnerability in older Bamboo versions:
- Bamboo 3.3.4 for Bamboo 3.3.x
- Bamboo 3.4.5 for Bamboo 3.4.x
You can download these versions from the Bamboo download centre.
Patches (not recommended)
Patches are only available for Bamboo 3.2.x - 3.4.x. We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Bamboo, you must do all of the following steps to fix the vulnerability described in this security advisory.
- Download the file http://www.atlassian.com/software/bamboo/downloads/binary/patch-BAM11316-3.2-atlassian-bundled-plugins.zip
- Rename the file to atlassian-bundled-plugins.zip
- Stop Bamboo.
Make a backup of the
<bamboo_install_dir>
directory.- Restart Bamboo.