In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image (Windows Server 2012 R2) AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access it was permitted to login through SSH on instances using the affected AMI. In the event that a vulnerable live agent is discovered by an attacker, the attacker could use this vulnerability to SSH into an affected Elastic Agents as the 'bamboo' user and execute arbitrary commands as that user. As builds execute as the 'bamboo' user an attacker would have access to any files used or generated as part of builds.
Bamboo Server builds may have been affected if all of the following conditions are true:
- Bamboo was running version 5.8.0 or 5.8.1 after the 17 Mar 2015 and before 01 Apr 2015.
- A build was configured to use a Windows Stock Image (Windows Server 2012 R2) AMI with an accessible port 22. That port is not accessible at all if 'elasticbamboo' Security Group has been modified to exclude port 22. The port is not accessible from the public Internet if the instances were running in a VPC with public addressing disabled.
- The build was run before 01 Apr 2015. (After the 01 Apr 2015 the bamboo user password expired which prevents the bamboo user from logging in.)
Bamboo Server 5.9.0 is available with the fixed AMI and is available for download from https://www.atlassian.com/software/bamboo/download.
For additional details see the full advisory.