ESB-2018.0039 - [Win][Linux][OSX] Atlassian Bamboo: Execute arbitrary code/commands - Remote with user interaction - 2018-01-04


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0039
                    Bamboo Security Advisory 2017-12-13
                              4 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Atlassian Bamboo
Publisher:         Atlassian
Operating System:  Linux variants
                   OS X
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14590 CVE-2017-14589 

Original Bulletin: 
   https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/6FcGO .


CVE ID:

* CVE-2017-14589.
* CVE-2017-14590.


Product: Bamboo.

Affected Bamboo product versions:

version < 6.1.6
6.2.0 <= version < 6.2.5


Fixed Bamboo product versions:

* for 6.1.x, Bamboo 6.1.6 has been released with a fix for this issue.
* for 6.2.x, Bamboo 6.2.5 has been released with a fix for this issue.


Summary:
This advisory discloses critical severity security vulnerabilities. Versions of
Bamboo before version 6.1.6 (the fixed version for 6.1.x) and from version 6.2.0
before 6.2.5 (the fixed version for 6.2.x) are affected by these
vulnerabilities.



Customers who have upgraded Bamboo to version 6.1.6 or 6.2.5 are not affected.

Customers who have downloaded and installed Bamboo less than 6.1.6 (the fixed
version for 6.1.x) or who have downloaded and installed Bamboo >= 6.2.0 but less
than 6.2.5 (the fixed version for 6.2.x) please upgrade your Bamboo
installations immediately to fix these vulnerabilities.



Remote code execution through OGNL double evaluation (CVE-2017-14589)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

It was possible for double OGNL evaluation in FreeMarker templates through
Struts FreeMarker tags to occur. An attacker who has restricted administration
rights to Bamboo or who hosts a website that a Bamboo administrator visits, is
able to exploit this vulnerability to execute Java code of their choice on
systems that run a vulnerable version of Bamboo.
Versions of Bamboo before version 6.1.6 (the fixed version for 6.1.x) and from
version 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/BAM-18842 .

Argument injection in Mercurial repository handling (CVE-2017-14590)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Bamboo did not check that the name of a branch in a Mercurial repository
contained argument parameters. An attacker who has permission to do one or more
of the following - create a repository in Bamboo, edit an existing plan in
Bamboo that has a non-linked Mercurial repository, create or edit a plan in
Bamboo when there is at least one linked Mercurial repository that the attacker
has permission to use, or commit to a Mercurial repository used by a Bamboo plan
which has branch detection enabled can execute code of their choice on systems
that run a vulnerable version of Bamboo Server.
Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for
6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by
this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/BAM-18843 .



Fix:

To address these issues, we've released the following versions containing a
fix:

* Bamboo version 6.1.6
* Bamboo version 6.2.5

Remediation:

Upgrade Bamboo to version 6.2.5 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Bamboo 6.1.x and cannot upgrade to 6.2.5, upgrade to version
6.1.6.


For a full description of the latest version of Bamboo, see
the release notes found at
https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can
download the latest version of Bamboo from the download centre found at
https://www.atlassian.com/software/bamboo/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

- -----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJaOJBGFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
Unag5IgP/j1Mr0Tc002EgsAacycVD0snYyXiB3jFtqkEr9iHIC01MLPcLIU+NknH
B10ZXhQlOkVNgLyP7gCbQOzKrulGFvnkwl2s0pJod1Sxg94a4lemb63ys5Sb6Lbk
XAWD53MLWIpIUUIXSt9jfc05wnWbdCl5HPGMw9aXEJrk3+mflv1NKjBmm7H/Tz2Y
jmDFzOphSpzeXq/128/9jOLAdpSC5v1pp8hxdg5B4LZio94jloovBGEtlqqv3ID3
Ppv9BAwz8so+H0b+fvr01VAz7+FFApHYVc/yxIOwrSwiyC4Qgvi+b5S/w3JeONRH
oZumfP/RoU4umxnIBzHZnztWVD4ga8mbjwXkVm67kYr4n0e8Q3LYgiiCzmtqHqBQ
m+28RWIZG4qqFlgylX6E8Guczp/EyK23UNVIoPgltLzx5/EQFSFL1PZDYcXTDc1u
Gb4SjN2QdtddfVPl4XdukDZi8B/UXYlvVxdFFFSBXVWtCnoVRN6fNaRnA3wqQ38U
CXgy3tv7RCvV/fuH6Z/JU73N6ydvq8MnRC/Afj29IpCMmbiZN9GVf4iq7R4oeKG6
hkJAjz9YH1hDggalBQ1FKmYltosoF94hIcgNR2qQDPBrtZHkqUQTMZtZVUQiaF/V
ra2PWYrZUbjqMN4npMQVV+NP33uCDyCv0ZwVlCwafe3kZa5poLnz
=THMT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWk1wZ4x+lLeg9Ub1AQiDvA/+NAJq89bXlpsSM3cl2ELD0HA36WPndba9
cemWcboFYVg6N+7Fn9bNSd9Pe5MgqH/keko5Sw23CVp9IJTpb6fXeUzeYEY6Hpwb
hBcm/c5nXONHer0AhFS1CClXLA58pNwgp8h35RPJ3EsAKHE1ppOC9BHG0UxHAC4/
S8WNRcIPi917yK5wAl8HpJZonE5XQJx2kweGFwzkg84y0ABg/llQ+UtRTFYQVfqe
0j457jTyh5TCTgcfVzLdsLhSWVndQzW5TmhttDP8O4PCnYgqSm2P65wKqxx8WS7a
X8+7ZlYG04MqgmoLDC80xe7fUp46rEgqpkx/U25wo2WsEFMbCC5OC1/0vW1RNbBQ
orh39LMMW3BSkjKYiZrJc+SDFAp53pv/oPIQhsjpuZxzetoYbrxSyjrXX2Gedyq2
o0b3XU//5ZMJFgzrrqlUjELOOCXlyqR1FoUHMLUlmTAN8ZTDNn4vByngK2Lgl/Fc
7NNk1Zr8iamarVnvC0d+I7DfwBRkdHQ6jDyeWmnvXpX67QMgHdUsMKJhmzonX7aw
7b3rfNwdCHap7SvN8ZDtznEFOIffi2+ZHuJxEozCYpG1tb0A3sbMyV3ct6IK73P+
iyt2lD+fZm1if+YkyUizah2C8jmuzvptbG3FauauzT74kl5nFE5fOYvgqHZ180hz
ZcFkDgHgeQE=
=52lF
-----END PGP SIGNATURE-----