[BAM-17736] CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.12.3, 5.13.0.1, 5.11.4, 5.12.3.1, 5.11.4.1
Affects Version/s: 2.3.1
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

Affected versions:

All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.

Fix:

Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.

For additional details see the full advisory.

mentioned in: Page No Confluence page found with the given URL.; Bamboo Security Advisory 2016-07-20; Bamboo Security Advisory 2016-07-20; Page No Confluence page found with the given URL.; Page Failed to load; Page Loading...

(1 mentioned in)

David Black made changes - 13/Nov/2019 11:56 PM

Labels

Original: advisory cvss-critical exclude-from-security-metrics-page security

New: advisory cvss-critical deserialization exclude-from-security-metrics-page security

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 2:02 AM

Workflow	Original: Bamboo Workflow 2016 v1 - Restricted [ 1443829 ]	New: JAC Bug Workflow v3 [ 3383382 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

testid made changes - 22/Apr/2017 7:52 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 196550 ]

testid made changes - 22/Apr/2017 7:52 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 187389 ]

Rachel Robins made changes - 01/Dec/2016 1:02 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 235439 ]

New: This issue links to "Page (Atlassian Documentation)" [ 235439 ]

Rachel Robins made changes - 01/Dec/2016 12:54 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 235439 ]

Rachel Robins made changes - 30/Nov/2016 10:04 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 235205 ]

New: This issue links to "Page (Atlassian Documentation)" [ 235205 ]

Rachel Robins made changes - 30/Nov/2016 9:51 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 235205 ]

Michalina made changes - 19/Oct/2016 11:06 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 216863 ]

New: This issue links to "Page (Atlassian Documentation)" [ 216863 ]

Michalina made changes - 19/Oct/2016 10:57 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 216863 ]

Assignee:: Unassigned

Reporter:: Deleted Account (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 07/Jul/2016 4:22 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 26/Aug/2016 2:36 PM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[BAM-17736] CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

People

Dates