-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/EZ-1Nw . CVE ID: * CVE-2017-9514. Product: Bamboo. Affected Bamboo product versions: 6.0.0 <= version < 6.0.5 6.1.0 <= version < 6.1.4 6.2.0 <= version < 6.2.1 Fixed Bamboo product versions: * for 6.0.x, Bamboo 6.0.5 has been released with a fix for this issue. * for 6.1.x, Bamboo 6.1.4 has been released with a fix for this issue. * for 6.2.x, Bamboo 6.2.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 6.0.0 of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. Cloud instances aren't affected by the issue described in this email. Customers who have upgraded Bamboo to version 6.0.5 or 6.1.4 or 6.2.1 are not affected. Customers who have downloaded and installed Bamboo >= 6.0.0 but less than 6.0.5 (the fixed version for 6.0.x) or who have downloaded and installed Bamboo >= 6.1.0 but less than 6.1.4 (the fixed version for 6.1.x) or who have downloaded and installed Bamboo >= 6.2.0 but less than 6.2.1 (the fixed version for 6.2.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Remote Code Execution (CVE-2017-8907) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18735 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 6.0.5 * Bamboo version 6.1.4 * Bamboo version 6.2.1 Remediation: Upgrade Bamboo to version 6.2.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.0.x and cannot upgrade to 6.2.1, upgrade to version 6.0.5. If you are running Bamboo 6.1.x and cannot upgrade to 6.2.1, upgrade to version 6.1.4. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJZ5ANtFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag0h4P/3xMGIxi123ic9QOY6KJRS2Q2P3sGbxARelCwNa6bWiEiG25SWpw3ATw C4i9NyNzhnUisFSY8ue94He1YwhaaKp/KiD8sKtiD7KWc4g4/FBvoTnX7cLqrIJD uXEtAH1uN5dpcpKrqsulOSw9mu73Ha7Jk7/EGqi6ITdBv4NnEp528MYvWhy/mMEj 0e+86rrs85aDJPSIlsaHGnaohbSWa4p/MgYglN20kua/pV1RxcAdcaKfNFlYLvDH qO5pXG5L2bLfttIviYMIZRYh76nlEcQAs7pWrm2AB7KbHQxGxZy6bUmoAtVzZ2qr 9yMq0EyZiMVMNGC/rIU2RTD9C4FjU7IiYRcqrGY6V32zGBHnSHT0yacfrmkMuYsF qTZ5uJw5MtddU+Hsj64wltvAc/wwOZPrSH1ngvzmRG1VTs/7PZG4wG6MXaijZoOJ skCiUlRamCXHqZWT4z29XtTkLTm3831xsbJ1sD/Tv4yScVpwuNQM60WErtq1lqlr KdAWoqX4lkgIOV4P4zpTxSpn/+1jKRoMCTW0e881mmyI6uYWA6bPq1LghfTGemVf BJfIaEep5llxbS++mowt7v+tGVu4kbp8wqt4Pc1PwIgaFZxbGlOdZi57hA+pYUk1 aNEA+2CYIF0bHK3lDOqOKPhOs7+QhdGuWcVZE23MkwPLwIcyozPO =tmYL -----END PGP SIGNATURE-----