Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bamboo 3.2 remote agent security

Han Lee
Han Lee June 28, 2012

My Bamboo 3.2 instance is available to the outside world.

When I try to enable my Bamboo remote agent, the admin screen shows a link to a security advisory. This link is broken: http://confluence.atlassian.com/x/YYGlBw

I then went to your documentation and found:

Is the security advisory still an issue for Bamboo 3.2? The advisory notes that it will be fixed once out of beta but the 3.2 manual still lists it. Here's a link to the 3.2 manual's security advisory section:

If the security advisory is still valid, how can we run our Bamboo server with an AWS client without introducing some very large security issues?

Answer
Watch
Like Be the first to like this
506 views

2 answers

0 votes
Han Lee
Han Lee June 28, 2012

My concern is that we already have open access to ports 80 and 443 (to allow external people to access bamboo.) Will turning on remote agents introduce a security issue on these ports?

View More Comments
Przemek Bruski
Przemek Bruski
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2012

With elastic agents? It won't.

Like
Han Lee
Han Lee June 28, 2012

These are two different settings. I can't enable "remote agents for elastic agents" so wouldn't enabling regular "remote agents" open up extra functionality on the server? What is this functionality? The manual says that regular remote agents operate on ports 80/443/54663; so wouldn't we open some extra functionality on ports 80/443? Are these functions subject to the problems mentioned in the above security advisory?

Thanks,

Han.

Like
Przemek Bruski
Przemek Bruski
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2012

I can't enable "remote agents for elastic agents" so wouldn't enabling regular "remote agents" open up extra functionality on the server?

Yes and no. With remote agents, you'll have to open 54663. You won't have to do it with elastic agents. There are no known vulnerabilities with port 54663, but it's a risk.

Are these functions subject to the problems mentioned in the above security advisory?

There's no specific advisory related to your version of Bamboo and usage of remote agents. The link was only supposed to explain why enabling remote agents decreases your security.

If you enable remote agent support, your instance will provide additional functionality on HTTP ports. You can control which remote agents can access your instance starting with Bamboo 3.4, but not in 3.2 .

Like
Han Lee
Han Lee June 28, 2012

Awesome; sounds like an upgrade is in order. Thanks.

One last concern, can you verify that "Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta)" has been fixed in Bamboo 4.1.2?

Thanks,

Han.

Like
Przemek Bruski
Przemek Bruski
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2012

Yes, it has been fixed. Just make sure you follow https://confluence.atlassian.com/display/BAMBOO/Securing+your+remote+agents .

Like
Reply
0 votes
Przemek Bruski
Przemek Bruski
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2012

Two separate issues here:

General security

If you're running an instance on the Internet, you should upgrade to 4.1.2 to get all the security fixes with minimum hassle.

Remote agents/"AWS client"

I assume that by "AWS client" you mean elastic agents. Elastic agents are much safer than plain remote agents because you don't have to open any additional ports on your server and all communication with the agent is encrypted without any additional configuration.

View More Comments
Przemek Bruski
Przemek Bruski
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2012

This is the current list of security advisories: https://confluence.atlassian.com/display/BAMBOO/Bamboo+security+advisories .

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events