-
Bug
-
Resolution: Fixed
-
High
-
None
We have identified and fixed a vulnerability caused by the way WebWorks/Struts and Freemarker templates are used in Bamboo.
The vulnerability allows a non-authenticated user to execute arbitrary Java methods in the JVM hosting the Bamboo application. This can be used to execute OS commands as the JVM user.
All versions of Bamboo up to and including 4.0.1 are affected.
Full details are available in the advisory at https://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-08-28
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[BAM-12066] OGNL injection vulnerability
The Zip file also contains javarebel-sdk-1.2.2.jar, as does my WEB-INF/lib. The two files have identical content, although the date stamps are different.
If you are using Bamboo 3.0 or later:
- Download the BAM-12066.zip file attached to the
BAM-12066issue. - Stop Bamboo.
- Make a backup of the <bamboo_install_dir> directory.
- Enter WEB-INF/lib directory.
- Move the following jar files to a backed up location: freemarker-*.jar, webwork-2.2.7-atlassian-*.jar, xwork-1.2.5-atlassian-*.jar . The zip file contains javarevel jar, if your installation already contains it, you don't have to update it.
- Copy the jar files from the zip file you've downloaded to WEB-INF/lib directory.
- Start Bamboo.
David, that's intended. Older versions of Bamboo did not have this dependency and it's required with the latest version of Freemarker. You can replace it or leave it as is, it does not matter.