Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-18242

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

      Description

      Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo

      Affected versions:

      • All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.

      Fix:

      Hotfix:
      The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.

      To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.

      For additional details see the full advisory.

            [BAM-18242] Apache Struts 2 Remote Code Execution (CVE-2017-5638)

            Alexey Chystoprudov added a comment - - edited

            anton89d596643694 use hotfix scenario for 5.9.x from description, replace struts library in WEB-INF/lib folder with attached struts2-core-2.3.16.3-atlassian-7.jar

            Alexey Chystoprudov added a comment - - edited anton89d596643694 use hotfix scenario for 5.9.x from description, replace struts library in WEB-INF/lib folder with attached struts2-core-2.3.16.3-atlassian-7.jar

            Is there a fix for Bamboo 5.8.1 ?

            Anton Demydov added a comment - Is there a fix for Bamboo 5.8.1 ?

            If Bamboo production is on 5.14.1, as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later?

            Satya Nalluri added a comment - If Bamboo production is on 5.14.1 , as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later?

            There is no patch for 5.1.

            Przemek Bruski added a comment - There is no patch for 5.1.

            One of our existing instance is on 5.1.1, can we get a patch for that ? 

            We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help.

            Thanks

            Atul

            Atul Bhingarde added a comment - One of our existing instance is on 5.1.1, can we get a patch for that ?  We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help. Thanks Atul

            It looks like we were hacked using this vulnerability back in mid February, way before Apache even announced this. 

            Master Account added a comment - It looks like we were hacked using this vulnerability back in mid February, way before Apache even announced this. 

            Most likely not.

            Przemek Bruski added a comment - Most likely not.

            Can we use the hotfix with Bamboo version 5.5.1?

            Robert Jacobs added a comment - Can we use the hotfix with Bamboo version 5.5.1?

            Yes, you can.

            Przemek Bruski added a comment - Yes, you can.

            IT Team added a comment -

            Can we use the hotfix also for an 5.14.4.1 Release?

            IT Team added a comment - Can we use the hotfix also for an 5.14.4.1 Release?

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: