ESB-2018.1030 - [Win][Linux][OSX] Atlassian Bamboo: Execute arbitrary code/commands - Existing account 2018-04-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1030
                    Bamboo Security Advisory 2018-03-28
                               5 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Atlassian Bamboo
Publisher:         Atlassian
Operating System:  Linux variants
                   OS X
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5224  

Original Bulletin: 
   https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2018-03-28-946614077.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Bamboo Security Advisory 2018-03-28

Bamboo  - Argument injection through Mercurial repository URI handling on
Windows - CVE-2018-5224

Note: As of  September 2014 we are no longer issuing binary bug patches,
instead we create new maintenance releases for the major versions we are
backporting.

Summary
CVE-2018-5224 - Argument injection through Mercurial repository URI 
handling on Windows

Advisory Release Date
28 Mar 2018 10 AM PDT (Pacific Time, -7 hours)

Product Affected Bamboo Versions
     o 2.7.0 <= version < 6.3.3
     o 6.4.0 <= version < 6.4.1

Fixed Bamboo Versions
      o 6.3.3
      o 6.4.1

CVE ID  CVE-2018-5224

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was
introduced in version 2.7.0 of Bamboo. Versions of Bamboo starting with 2.7.0
before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1
(the fixed version for 6.4.x) running on the Windows operating system are
affected by this vulnerability. 

Customers who have upgraded Bamboo to version 6.3.3 or 6.4.1 are not affected.

Customers who do not run Bamboo on the Windows operating system are not
affected.

Customers using Bamboo Server on Windows, who have downloaded and installed
Bamboo >= 2.7.0 less than 6.3.3 (the fixed version for 6.3.x)

Customers using Bamboo Server on Windows, who have downloaded and installed
Bamboo >= 6.4.0 less than 6.4.1 (the fixed version for 6.4.x)

Please upgrade your Bamboo installations immediately to fix this
vulnerability.

Argument injection through Mercurial repository URI handling on Windows
(CVE-2018-5224)

Severity

Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own
IT environment.

Description

Bamboo did not correctly check if a configured Mercurial repository URI
contained values that the Windows operating system may consider argument
parameters.  An attacker who has permission to do one or more of the
following:

  o create a repository in Bamboo
  o edit an existing plan in Bamboo that has a non-linked Mercurial repository
  o create a plan in Bamboo either globally or in a project using Bamboo Specs

can execute code of their choice on systems that run a vulnerable version of
Bamboo on the Windows operating system.

All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for
6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x)
running on the Windows operating system are affected by this vulnerability.

This issue can be tracked here:  https://jira.atlassian.com/browse/BAM-19743.

Acknowledgements

Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue
to us.

Mitigation

Disable the "Atlassian Bamboo Mercurial Repository Plugin" via the Addons menu
in the Administration section.

Note: "Atlassian Bamboo Bitbucket Repository Plugin" depends on "Atlassian
Bamboo Mercurial Repository Plugin" therefore it will be disabled as well, as
an effect any Bitbucket Cloud repository in Bamboo will stop working.
Reenabling "Atlassian Bamboo Bitbucket Repository Plugin" will
reenable "Atlassian Bamboo Mercurial Repository Plugin" making your system
vulnerable again. 

Fix

We have taken the following steps to address this issue:

 1. Released Bamboo version 6.4.1 that contains a fix for this issue and can
    be downloaded from https://www.atlassian.com/software/bamboo/download.
 2. Released Bamboo version 6.3.3 that contains a fix for this issue and can
    be downloaded from https://www.atlassian.com/software/bamboo/
    download-archives.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full
description of the latest version of Bamboo, see the release notes. You can
download the latest version of Bamboo from the download centre.

Upgrade Bamboo to version 6.4.1 or higher.

If you are running Bamboo 6.3.x and cannot upgrade to 6.4.1 then upgrade to
version 6.3.3.

Support

If you did not receive an email for this advisory and you wish to receive such
emails in the future go to https://my.atlassian.com/email and subscribe
to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

References

              As per our new policy critical security bug fixes will be back
              ported in accordance with https://www.atlassian.com/trust/
              security/bug-fix-policy.  We will release new maintenance
Security Bug  releases for the versions covered by the new policy instead of
fix Policy    binary patches.

              Binary patches are no longer released. 

Severity      Atlassian security advisories include a severity level and a CVE
Levels for    identifier. This severity level is based on our self-calculated
security      CVSS score for each specific vulnerability. CVSS is an industry
issues        standard vulnerability metric. You can also learn more about
              CVSS at FIRST.org.
End of Life    Our end of life policy varies for different products. Please
Policy        refer to our EOL Policy for details. 

Last modified on Apr 4, 2018

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsWkiYx+lLeg9Ub1AQisGhAAow96S2WD5mg2vEi1LumTwoguKOEF9QGd
3HqyMQhWZZAn6se9dqAOVIElFP6GunlnDbll8COwrc8U786ITIVwGbf25rhtE/Re
d0ktEDwAMxMVflKDq/Lm71DZ3wqHBHEaMkCAQek8TjkD2L4qICJdTZ/rIk+NwUxm
drJam1iuTDu48zshsS+a20BQa2v0vdpezt0XIzNtnQ5lOpv7UXzFGYHDfHlSj1gh
mv76IjQJ3br5SFq+Jv3Z/g9x0hyu8txZdJdyPsB6TjoklwD+ig0iXm6I0lu5bbiP
0A1Xaw7HpPeXETf74S9r3klemERglGw6qT4/xwFd77ws0ZN8vzW9DIaYizopt2MP
T5TI33PbEhp87X6e5sXP8PU39hLsFyPQnd2LpyJfleAC8JwbCBy1Jcl76q9Nprdb
ADz4TT8VC9d63rIz67g0IFIC7GM4Xywz1/5zMUKRPUy9RRdX2NsoyC1/pZ/57ugw
FG8EvGReFefdMN4F7SNpnssRY6xxd+IYDqJEJwnO3dabYni3X1DhfRg9QT5xx+QJ
FnjBO+SyFs6qRBewApVAGiXmwia7DDNiHElQSa3BkhRZG9lLgEjktieL0H8hz7Lk
wjozrY7Z1w+JWn/+C9E7RjJ0IjyWII1LKmwaVC1nKgaeADlG/kM9XfUMUVBxyMXD
jusBSuhCN0U=
=Fw3I
-----END PGP SIGNATURE-----

« Back to bulletins