Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-18242

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

XMLWordPrintable

      Description

      Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo

      Affected versions:

      • All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.

      Fix:

      Hotfix:
      The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.

      To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.

      For additional details see the full advisory.

        1. struts2-core-2.3.16.3-atlassian-7.jar
          786 kB
          Przemek Bruski
        2. struts2-core-2.5.1-atlassian-11.jar
          1.51 MB
          Przemek Bruski

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: