[BAM-17101] CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.10.0, 5.9.9
Affects Version/s: 2.3.1, 5.9.7
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port (port 54663 by default).

Affected versions:

All versions of Bamboo from 2.3.1 before 5.9.9 (the fixed version for 5.9.x) are affected by this vulnerability.

Fix:

Bamboo 5.10.0 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.9.9 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

For additional details see the full advisory.

is related to

BAM-17099 CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Closed

mentioned in: Bamboo Security Advisory 2016-01-20; Bamboo Security Advisory 2016-01-20; Page No Confluence page found with the given URL.; Bamboo Security Advisory 2016-01-20; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

There are no comments yet on this issue.

Assignee:: Unassigned

Reporter:: Przemek Bruski

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 12/Jan/2016 3:59 AM

Updated:: 13/Nov/2019 11:55 PM

Resolved:: 12/Jan/2016 4:07 AM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates