Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-18242

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

XMLWordPrintable

      Description

      Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo

      Affected versions:

      • All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.

      Fix:

      Hotfix:
      The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.

      To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.

      For additional details see the full advisory.

        1. struts2-core-2.5.1-atlassian-11.jar
          1.51 MB
        2. struts2-core-2.3.16.3-atlassian-7.jar
          786 kB

            [BAM-18242] Apache Struts 2 Remote Code Execution (CVE-2017-5638)

            Alexey Chystoprudov added a comment - - edited

            anton89d596643694 use hotfix scenario for 5.9.x from description, replace struts library in WEB-INF/lib folder with attached struts2-core-2.3.16.3-atlassian-7.jar

            Alexey Chystoprudov added a comment - - edited anton89d596643694 use hotfix scenario for 5.9.x from description, replace struts library in WEB-INF/lib folder with attached struts2-core-2.3.16.3-atlassian-7.jar

            Anton Demydov added a comment -

            Is there a fix for Bamboo 5.8.1 ?

            Anton Demydov added a comment - Is there a fix for Bamboo 5.8.1 ?

            Satya Nalluri added a comment -

            If Bamboo production is on 5.14.1, as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later?

            Satya Nalluri added a comment - If Bamboo production is on 5.14.1 , as an immediate fix, could I replace the struts library as well with the one from 5.14.5, so we can plan for an actual upgrade later?

            Przemek Bruski added a comment -

            There is no patch for 5.1.

            Przemek Bruski added a comment - There is no patch for 5.1.

            Atul Bhingarde added a comment -

            One of our existing instance is on 5.1.1, can we get a patch for that ? 

            We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help.

            Thanks

            Atul

            Atul Bhingarde added a comment - One of our existing instance is on 5.1.1, can we get a patch for that ?  We are in process to move to latest version however it is taking time, if we can get patch for time being on 5.1.1 it would help. Thanks Atul

            Master Account added a comment -

            It looks like we were hacked using this vulnerability back in mid February, way before Apache even announced this. 

            Master Account added a comment - It looks like we were hacked using this vulnerability back in mid February, way before Apache even announced this. 

            Przemek Bruski added a comment -

            Most likely not.

            Przemek Bruski added a comment - Most likely not.

            Robert Jacobs added a comment -

            Can we use the hotfix with Bamboo version 5.5.1?

            Robert Jacobs added a comment - Can we use the hotfix with Bamboo version 5.5.1?

            Przemek Bruski added a comment -

            Yes, you can.

            Przemek Bruski added a comment - Yes, you can.

            IT Team added a comment -

            Can we use the hotfix also for an 5.14.4.1 Release?

            IT Team added a comment - Can we use the hotfix also for an 5.14.4.1 Release?

            Issa added a comment -

            Done : BSP-31312

            Issa added a comment - Done : BSP-31312

            Przemek Bruski added a comment -

            gorisis Can you contact support? I'd like to follow up on that issue.

            Przemek Bruski added a comment - gorisis Can you contact support? I'd like to follow up on that issue.

            Issa added a comment -

            Another issue I would like to report on Bamboo globally. On one of our compromised instance, they downloaded a JSP file into the Bamboo folder. The code of the JSP file describes a capability to download, upload, rename, delete copy folders, extract DB content and download it.

            To my utter surprise, you can access any JSP file in Bamboo anonymously. Could you improve on this please?

            Issa added a comment - Another issue I would like to report on Bamboo globally. On one of our compromised instance, they downloaded a JSP file into the Bamboo folder. The code of the JSP file describes a capability to download, upload, rename, delete copy folders, extract DB content and download it. To my utter surprise, you can access any JSP file in Bamboo anonymously. Could you improve on this please?

            Issa added a comment -

            Thanks for your comment Bill. Apache posted the notice on the 6th...

            Is there a way to get all security advisories published by Atlassian via a mailing list I could subscribe too, or RSS feed? Since we have 6 products from Atlassian...

            Issa added a comment - Thanks for your comment Bill. Apache posted the notice on the 6th... Is there a way to get all security advisories published by Atlassian via a mailing list I could subscribe too, or RSS feed? Since we have 6 products from Atlassian...

            Bill Marriott (Inactive) added a comment -

            Hi gorisis - I'm sorry that we responded slower than you would have preferred.  We strive to take action as quickly as possible, however, we also want to ensure that we have all the information that we need to address any vulnerability.  All of our information, including how to report a vulnerability to us, can be found at https://trust.atlassian.com.  Feel free to reach out to me directly if you have additional questions. 

            -bill marriott

            -Sr Manager, Trust & Security

            bmarriott@atlassian.com

             

            Bill Marriott (Inactive) added a comment - Hi gorisis - I'm sorry that we responded slower than you would have preferred.  We strive to take action as quickly as possible, however, we also want to ensure that we have all the information that we need to address any vulnerability.  All of our information, including how to report a vulnerability to us, can be found at https://trust.atlassian.com.   Feel free to reach out to me directly if you have additional questions.  -bill marriott -Sr Manager, Trust & Security bmarriott@atlassian.com  

            Issa added a comment -

            But Atlassian reacted a little slow on this one; we have two Bamboo which have been compromised because of this vulnerability.

            Issa added a comment - But Atlassian reacted a little slow on this one; we have two Bamboo which have been compromised because of this vulnerability.

            Issa added a comment -

            Thanks for the hotfix that the Security Advisory is not mentioning.

            Issa added a comment - Thanks for the hotfix that the Security Advisory is not mentioning.

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: