[BAM-11316] Bamboo XML Vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.3.4, 3.4.5, 4.0
Affects Version/s: 3.4.4
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo.

This vulnerability allows an attacker to:

Execute denial of service attacks against the Bamboo server, and
Read all local files readable to the system user under which Bamboo runs.

The attacker needs to have an account with the affected Bamboo server instance and be able to log in in order to execute the attack.

All versions of Bamboo up to and including 3.4.4 are affected.

Full details of the severity, risks and vulnerability can be found in the Bamboo Security Advisory 2012-05-17.

mentioned in: Bamboo Security Advisory 2012-05-17; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Wiki Page Loading...; Wiki Page Loading...; Page Loading...

(24 mentioned in)

VitalyA added a comment - 20/Apr/2012 5:26 AM - edited

Installing the patch: (we recommend upgrading instead of patching)

Download file http://www.atlassian.com/software/bamboo/downloads/binary/patch-BAM11316-3.2-atlassian-bundled-plugins.zip
Rename the file to atlassian-bundled-plugins.zip
Stop Bamboo.
Make a backup of the <bamboo_install_dir> directory.
Copy atlassian-bundled-plugins.zip into webapp/WEB-INF/classes in the <bamboo_install_dir>, to replace the existing file of the same name.
Restart Bamboo.

VitalyA added a comment - 20/Apr/2012 5:26 AM - edited Installing the patch: (we recommend upgrading instead of patching) Download file http://www.atlassian.com/software/bamboo/downloads/binary/patch-BAM11316-3.2-atlassian-bundled-plugins.zip Rename the file to atlassian-bundled-plugins.zip Stop Bamboo. Make a backup of the <bamboo_install_dir> directory. Copy atlassian-bundled-plugins.zip into webapp/WEB-INF/classes in the <bamboo_install_dir>, to replace the existing file of the same name. Restart Bamboo.

Assignee:: VitalyA

Reporter:: paulwatson (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 26/Mar/2012 4:53 AM

Updated:: 05/Jan/2023 10:32 AM

Resolved:: 07/May/2012 1:12 AM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: VitalyA added a comment - 20/Apr/2012 5:26 AM, Edited by VitalyA - 27/Apr/2012 5:18 AM

Expand comment: VitalyA added a comment - 20/Apr/2012 5:26 AM, Edited by VitalyA - 27/Apr/2012 5:18 AM

People

Dates