Lucene search

K
atlassianAminozhenkoBAM-18242
HistoryMar 10, 2017 - 4:57 a.m.

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

2017-03-1004:57:51
aminozhenko
jira.atlassian.com
63

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

Description

Bamboo used a version of Struts 2 that was vulnerable to [CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo

Affected versions:

  • All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.

Fix:

Hotfix:
The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.

  • Bamboo 5.9.x, 5.10.x, 5.11.x, 5.12.x - use [^struts2-core-2.3.16.3-atlassian-7.jar]
  • Bamboo 5.13.x - use [^struts2-core-2.5.1-atlassian-11.jar] (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)

To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.

For additional details see the [full advisory|https://confluence.atlassian.com/x/_slDN].

Affected configurations

Vulners
Node
atlassianbamboo_data_centerRange5.13.1
OR
atlassianbamboo_data_centerRange5.13.2
OR
atlassianbamboo_data_centerRange5.14.3.1
OR
atlassianbamboo_data_centerRange5.14.4.1
OR
atlassianbamboo_data_centerRange5.15.1
OR
atlassianbamboo_data_centerRange5.15.2
OR
atlassianbamboo_data_centerRange<5.15.3
OR
atlassianbamboo_data_centerRange<5.14.5
OR
atlassianbamboo_data_centerRange<6.0.0

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%