My Bamboo 3.2 instance is available to the outside world.
When I try to enable my Bamboo remote agent, the admin screen shows a link to a security advisory. This link is broken: http://confluence.atlassian.com/x/YYGlBw
I then went to your documentation and found:
If the security advisory is still valid, how can we run our Bamboo server with an AWS client without introducing some very large security issues?
Two separate issues here:
If you're running an instance on the Internet, you should upgrade to 4.1.2 to get all the security fixes with minimum hassle.
Remote agents/"AWS client"
I assume that by "AWS client" you mean elastic agents. Elastic agents are much safer than plain remote agents because you don't have to open any additional ports on your server and all communication with the agent is encrypted without any additional configuration.
These are two different settings. I can't enable "remote agents for elastic agents" so wouldn't enabling regular "remote agents" open up extra functionality on the server? What is this functionality? The manual says that regular remote agents operate on ports 80/443/54663; so wouldn't we open some extra functionality on ports 80/443? Are these functions subject to the problems mentioned in the above security advisory?
I can't enable "remote agents for elastic agents" so wouldn't enabling regular "remote agents" open up extra functionality on the server?
Yes and no. With remote agents, you'll have to open 54663. You won't have to do it with elastic agents. There are no known vulnerabilities with port 54663, but it's a risk.
Are these functions subject to the problems mentioned in the above security advisory?
There's no specific advisory related to your version of Bamboo and usage of remote agents. The link was only supposed to explain why enabling remote agents decreases your security.
If you enable remote agent support, your instance will provide additional functionality on HTTP ports. You can control which remote agents can access your instance starting with Bamboo 3.4, but not in 3.2 .
Thanks for signing up for Jira Ops! I’m Matt Ryall, leader for the Jira Ops product team at Atlassian. Since this is a brand new product, we’ll be delivering improvements quickly and sharing updates...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs