CVE-2017-9514 Atlassian Bamboo YAML Deserialization Remote Code Execution Vulnerability

漏洞类别:CGI

漏洞等级:

漏洞信息

Bamboo is a continuous integration and deployment tool developed by Atlassian, that ties automated builds, tests and releases together in a single workflow.

Affected versions of Bamboo have a REST endpoint that parses a YAML file that fails to sufficiently restrict which classes can be loaded, allowing an authenticated user to execute Java code on the targeted machine.

Affected Versions:
Bamboo 6.0.x prior to 6.0.5
Bamboo 6.1.x prior to 6.1.4
Bamboo 6.2.x prior to 6.2.1

QID Detection Logic:
This unauthenticated QID retrieves vulnerable versions by transmitting a request to the /userlogin!doDefault.action resource of a Atlassian Bamboo installation.

漏洞危害

An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.

解决方案

Customers are advised to upgrade to Bamboo 6.2.1, 6.1.4, 6.0.5 or later versions to remediate this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Bamboo 6.2.1, 6.1.4, 6.0.5 or later

Leave a Reply