[BAM-17101] CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: 2.3.1, 5.9.7
Fix Version/s: 5.10.0, 5.9.9
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port (port 54663 by default).

Affected versions:

All versions of Bamboo from 2.3.1 before 5.9.9 (the fixed version for 5.9.x) are affected by this vulnerability.

Fix:

Bamboo 5.10.0 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.9.9 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

For additional details see the full advisory.

Attachments

Issue Links

is related to

BAM-17099 CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Przemek Bruski

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Jan/2016 3:59 AM

Updated:: 13/Nov/2019 11:55 PM

Resolved:: 12/Jan/2016 4:07 AM