October 2017 - Bamboo - Critical Security Advisory

This email refers to the advisory found at https://confluence.atlassian.com/x/EZ-1Nw . CVE ID: * CVE-2017-9514. Product: Bamboo. Affected Bamboo product versions: 6.0.0 <= version < 6.0.5 6.1.0 <= version < 6.1.4 6.2.0 <= version < 6.2.1 Fixed Bamboo product versions: * for 6.0.x, Bamboo 6.0.5 has been released with a fix for this issue. * for 6.1.x, Bamboo 6.1.4 has been released with a fix for this issue. * for 6.2.x, Bamboo 6.2.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 6.0.0 of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. Cloud instances aren't affected by the issue described in this email. Customers who have upgraded Bamboo to version 6.0.5 or 6.1.4 or 6.2.1 are not affected. Customers who have downloaded and installed Bamboo >= 6.0.0 but less than 6.0.5 (the fixed version for 6.0.x) or who have downloaded and installed Bamboo >= 6.1.0 but less than 6.1.4 (the fixed version for 6.1.x) or who have downloaded and installed Bamboo >= 6.2.0 but less than 6.2.1 (the fixed version for 6.2.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Remote Code Execution (CVE-2017-8907) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18735 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 6.0.5 * Bamboo version 6.1.4 * Bamboo version 6.2.1 Remediation: Upgrade Bamboo to version 6.2.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.0.x and cannot upgrade to 6.2.1, upgrade to version 6.0.5. If you are running Bamboo 6.1.x and cannot upgrade to 6.2.1, upgrade to version 6.1.4. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download.