[BAM-17099] CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.10.0, 5.9.9
Affects Version/s: 2.4, 5.9.7
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo attackers need to be able to modify XMPP messages destined to Bamboo from a configured XMPP server.

Affected versions:

All versions of Bamboo from 2.4 before 5.9.9 (the fixed version for 5.9.x) are affected by this vulnerability.

Fix:

Bamboo 5.10.0 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.9.9 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

For additional details see the full advisory.

relates to

BAM-17101 CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Closed

BAM-17102 CVE-2015-8361: Services exposed without authentication Vulnerability

Closed

mentioned in: Bamboo Security Advisory 2016-01-20; Bamboo Security Advisory 2016-01-20; Page No Confluence page found with the given URL.; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(5 mentioned in)

David Black made changes - 13/Nov/2019 11:54 PM

Labels

Original: CVE-2014-9757 advisory cvss-critical da-security security

New: CVE-2014-9757 advisory cvss-critical da-security deserialization security

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 2:01 AM

Workflow	Original: Bamboo Workflow 2016 v1 - Restricted [ 1437255 ]	New: JAC Bug Workflow v3 [ 3382490 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Rachel Robins made changes - 01/Dec/2016 1:02 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 235437 ]

New: This issue links to "Page (Atlassian Documentation)" [ 235437 ]

Rachel Robins made changes - 01/Dec/2016 12:54 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 235437 ]

Rachel Robins made changes - 30/Nov/2016 10:04 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 235207 ]

New: This issue links to "Page (Atlassian Documentation)" [ 235207 ]

Rachel Robins made changes - 30/Nov/2016 9:51 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 235207 ]

Michalina made changes - 19/Oct/2016 11:06 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 216776 ]

New: This issue links to "Page (Atlassian Documentation)" [ 216776 ]

Michalina made changes - 19/Oct/2016 10:57 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 216776 ]

Michalina made changes - 19/Oct/2016 10:48 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 216845 ]

New: This issue links to "Page (Atlassian Documentation)" [ 216845 ]

Michalina made changes - 19/Oct/2016 10:39 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 216845 ]

Assignee:: Unassigned

Reporter:: Przemek Bruski

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 12/Jan/2016 3:54 AM

Updated:: 13/Nov/2019 11:54 PM

Resolved:: 12/Jan/2016 4:07 AM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates