Atlassian reported a security advisory for its Bamboo continuous integration (CI) server software. More specifically, in the third-party Struts 2 / WebWork 2 framework used within the product. The Struts advisory, documented in CVE-2013-2251, states that Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted
The official Apache Struts 2 advisory, found here, “strongly recommends” that customers upgrade to Struts 18.104.22.168.
Atlassian states that this vulnerability can be fixed by upgrading Bamboo to either version 4.3.4, 4.4.8 or later. If its customers are unable to upgrade, however, Atlassian recommends that access to the Bamboo server not be allowed from untrusted networks – like the Internet.
If you are an Atlassian Bamboo user and a CloudPassage Halo customer, this recommendation can easily be implemented by leveraging Halo GhostPorts. Using GhostPorts, customers can enforce two-factor authentication to critical Bamboo ports, opening access only to authorized users.
Another recommendation from Atlassian for mitigating the exploitation of this threat vector is to block access to all URLs on a Web Application Firewall or a reverse proxy that contain any of the
redirect-action: strings. Atlassian provides a partial example for an nginx server that covers the
An easy way to validate that your temporary mitigation is employed across all of your nginx servers would be to create a Halo CSM rule to check your nginx configuration file. For the provided Atlassian example, a Halo customer could create a rule that looks similar to the screenshot below:
Some final recommendations
Your CI server likely does not require always-on remote access for the entire Internet, so please restrict access to it. Also, do not rely on mitigations as a long-term solution to a published vulnerability or advisory. Please schedule the upgrade to the latest revision of the Bamboo software as soon as you are able to.