-
Bug
-
Resolution: Fixed
-
Highest
-
5.13.1, 5.13.2, 5.14.3.1, 5.14.4.1, 5.15.1, 5.15.2
-
None
-
Severity 1 - Critical
-
Description
Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo
Affected versions:
- All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.
Fix:
- Bamboo 5.15.3 is available for download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 5.14.5 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
Hotfix:
The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.
- Bamboo 5.9.x, 5.10.x, 5.11.x, 5.12.x - use struts2-core-2.3.16.3-atlassian-7.jar
- Bamboo 5.13.x - use struts2-core-2.5.1-atlassian-11.jar (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)
To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.
For additional details see the full advisory.
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[BAM-18242] Apache Struts 2 Remote Code Execution (CVE-2017-5638)
Satya Nalluri
added a comment - If Bamboo production is on 5.14.1, as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later?
Satya Nalluri
added a comment - If Bamboo production is on 5.14.1 , as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later? 
Atul Bhingarde
added a comment - One of our existing instance is on 5.1.1, can we get a patch for that ?
We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help.
Thanks
Atul
Atul Bhingarde
added a comment - One of our existing instance is on 5.1.1, can we get a patch for that ?
We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help.
Thanks
Atul It looks like we were hacked using this vulnerability back in mid February, way before Apache even announced this.
Robert Jacobs
added a comment - Can we use the hotfix with Bamboo version 5.5.1?
anton89d596643694 use hotfix scenario for 5.9.x from description, replace struts library in WEB-INF/lib folder with attached struts2-core-2.3.16.3-atlassian-7.jar