-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/6FcGO . CVE ID: * CVE-2017-14589. * CVE-2017-14590. Product: Bamboo. Affected Bamboo product versions: version < 6.1.6 6.2.0 <= version < 6.2.5 Fixed Bamboo product versions: * for 6.1.x, Bamboo 6.1.6 has been released with a fix for this issue. * for 6.2.x, Bamboo 6.2.5 has been released with a fix for this issue. Summary: This advisory discloses critical severity security vulnerabilities. Versions of Bamboo before version 6.1.6 (the fixed version for 6.1.x) and from version 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by these vulnerabilities. Customers who have upgraded Bamboo to version 6.1.6 or 6.2.5 are not affected. Customers who have downloaded and installed Bamboo less than 6.1.6 (the fixed version for 6.1.x) or who have downloaded and installed Bamboo >= 6.2.0 but less than 6.2.5 (the fixed version for 6.2.x) please upgrade your Bamboo installations immediately to fix these vulnerabilities. Remote code execution through OGNL double evaluation (CVE-2017-14589) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. Versions of Bamboo before version 6.1.6 (the fixed version for 6.1.x) and from version 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18842 . Argument injection in Mercurial repository handling (CVE-2017-14590) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following - create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18843 . Fix: To address these issues, we've released the following versions containing a fix: * Bamboo version 6.1.6 * Bamboo version 6.2.5 Remediation: Upgrade Bamboo to version 6.2.5 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.1.x and cannot upgrade to 6.2.5, upgrade to version 6.1.6. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJaOJBGFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag5IgP/j1Mr0Tc002EgsAacycVD0snYyXiB3jFtqkEr9iHIC01MLPcLIU+NknH B10ZXhQlOkVNgLyP7gCbQOzKrulGFvnkwl2s0pJod1Sxg94a4lemb63ys5Sb6Lbk XAWD53MLWIpIUUIXSt9jfc05wnWbdCl5HPGMw9aXEJrk3+mflv1NKjBmm7H/Tz2Y jmDFzOphSpzeXq/128/9jOLAdpSC5v1pp8hxdg5B4LZio94jloovBGEtlqqv3ID3 Ppv9BAwz8so+H0b+fvr01VAz7+FFApHYVc/yxIOwrSwiyC4Qgvi+b5S/w3JeONRH oZumfP/RoU4umxnIBzHZnztWVD4ga8mbjwXkVm67kYr4n0e8Q3LYgiiCzmtqHqBQ m+28RWIZG4qqFlgylX6E8Guczp/EyK23UNVIoPgltLzx5/EQFSFL1PZDYcXTDc1u Gb4SjN2QdtddfVPl4XdukDZi8B/UXYlvVxdFFFSBXVWtCnoVRN6fNaRnA3wqQ38U CXgy3tv7RCvV/fuH6Z/JU73N6ydvq8MnRC/Afj29IpCMmbiZN9GVf4iq7R4oeKG6 hkJAjz9YH1hDggalBQ1FKmYltosoF94hIcgNR2qQDPBrtZHkqUQTMZtZVUQiaF/V ra2PWYrZUbjqMN4npMQVV+NP33uCDyCv0ZwVlCwafe3kZa5poLnz =THMT -----END PGP SIGNATURE-----