We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-16023

CVE-2015-4136: SSH Authorisation permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI

      In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into an affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user an attacker would have access to any files used or generated as part of builds.

      Bamboo Server builds may have been affected if all of the following conditions are true:

      1. Bamboo was running version 5.8.0 or 5.8.1 after the 17 Mar 2015 and before 01 Apr 2015.
      2. A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
      3. The build was run before 01 Apr 2015. (After the 01 Apr 2015 the bamboo user password expired which prevents the bamboo user from logging in.)

      Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.

      For additional details see the full advisory.

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Bamboo Data Center'
            1. Bamboo Data Center
            2. BAM-16023

            CVE-2015-4136: SSH Authorisation permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI

                In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into an affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user an attacker would have access to any files used or generated as part of builds.

                Bamboo Server builds may have been affected if all of the following conditions are true:

                1. Bamboo was running version 5.8.0 or 5.8.1 after the 17 Mar 2015 and before 01 Apr 2015.
                2. A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
                3. The build was run before 01 Apr 2015. (After the 01 Apr 2015 the bamboo user password expired which prevents the bamboo user from logging in.)

                Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.

                For additional details see the full advisory.

                        Unassigned Unassigned
                        dblack David Black
                        Affected customers:
                        0 This affects my team
                        Watchers:
                        3 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            Unassigned Unassigned
                            dblack David Black
                            Affected customers:
                            0 Vote for this issue
                            Watchers:
                            3 Start watching this issue

                              Created:
                              Updated:
                              Resolved: