[BAM-17101] CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: 2.3.1, 5.9.7
Fix Version/s: 5.10.0, 5.9.9
Component/s: None
Labels:

Last commented by user?:
true
Comments:
0
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port (port 54663 by default).

Affected versions:

All versions of Bamboo from 2.3.1 before 5.9.9 (the fixed version for 5.9.x) are affected by this vulnerability.

Fix:

Bamboo 5.10.0 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.9.9 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

For additional details see the full advisory.

Attachments

Issue Links

is related to

BAM-17099 CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Resolved

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

Activity

People

Assignee:

Unassigned

Reporter:

Przemek Bruski

Participants:

Przemek Bruski

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

12/Jan/2016 3:59 AM

Updated:

01/Dec/2016 1:02 AM

Resolved:

12/Jan/2016 4:07 AM

Last commented:

3 years, 23 weeks, 2 days ago