[BAM-17736] CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.12.3, 5.13.0.1, 5.11.4, 5.12.3.1, 5.11.4.1
Affects Version/s: 2.3.1
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

Affected versions:

All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.

Fix:

Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.

For additional details see the full advisory.

mentioned in: Page No Confluence page found with the given URL.; Bamboo Security Advisory 2016-07-20; Bamboo Security Advisory 2016-07-20; Page No Confluence page found with the given URL.; Page Failed to load; Page Loading...

(1 mentioned in)

David Black added a comment - 07/Jul/2016 4:37 AM - edited

CVSS v3 score: 9.9 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

See http://go.atlassian.com/cvss for more details.

David Black added a comment - 07/Jul/2016 4:37 AM - edited CVSS v3 score: 9.9 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High See http://go.atlassian.com/cvss for more details.

Assignee:: Unassigned

Reporter:: Deleted Account (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 07/Jul/2016 4:22 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 26/Aug/2016 2:36 PM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[BAM-17736] CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Collapse comment: David Black added a comment - 07/Jul/2016 4:37 AM, Edited by David Black - 07/Jul/2016 4:38 AM

Expand comment: David Black added a comment - 07/Jul/2016 4:37 AM, Edited by David Black - 07/Jul/2016 4:38 AM

People

Dates