Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to check the version of apache structs in bamboo server 7.0.6

Kiran Kumar Madala
Kiran Kumar Madala
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 4, 2024

How to check the version of apache structs in bamboo server 7.0.6?

 

CVE-2017-5638 / CVE-2017-9805 / CVE-2018-11776 

Bamboo server 7.0.6  impacted by above vulnerabilities?

Answer
Watch
Like Be the first to like this
294 views

1 answer

2 votes
Anik Sengupta
Anik Sengupta
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 4, 2024

None of the above vulnerabilities mentioned impact Bamboo 7.0.6. Please find the details

 

1) CVE-2017-5638

https://jira.atlassian.com/browse/BAM-18242

Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo

Affected versions:

All versions of Bamboo from 5.1.0 before 5.14.5 (the fixed version for 5.14.x) and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability.
Fix:

Bamboo 5.15.3 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.14.5 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
Hotfix:
The preferred fix is to upgrade your Bamboo using one of the links from the Fix section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.

Bamboo 5.9.x, 5.10.x, 5.11.x, 5.12.x - use struts2-core-2.3.16.3-atlassian-7.jar
Bamboo 5.13.x - use struts2-core-2.5.1-atlassian-11.jar (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)
To replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib

 

2) CVE-2017-9805, which affects the Struts REST plugin that is not used by Bamboo. It has been determined that Bamboo is not vulnerable to either Struts vulnerability as the vulnerability exists on the struts REST plugin which is not bundled in the Bamboo package.
CVE-2017-9805, which affects the Struts REST plugin that is not used by Bamboo. It has been determined that Bamboo is not vulnerable to either Struts vulnerability as the vulnerability exists on the struts REST plugin which is not bundled in the Bamboo package.
Although our applications were not affected, we have an improvement request to track the struts upgrade:

https://jira.atlassian.com/browse/BAM-18672


3)CVE-2018-11776

Our security team has investigated CVE-2018-11776 and we can confirm that no Atlassian products are affected by this vulnerability – this includes Bamboo. While we do use Struts for some products, they are not configured in a way that would leave them open to this bug. But as an extra precaution, we are updating all of the products that use Struts to the latest version.

Bamboo nor any of our products are vulnerable to this CVE. This is due to a value within struts enabling the vulnerability to be actionable.

The depends on the "alwaysSelectFullNamespace" flag to be set to "true". In Bamboo, this is set to false, globally.

Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events