Fidelis Cybersecurity
Fidelis Blog


Atlassian Bamboo, CVE-2013-2251, and you

CVE-2013-2251, states that Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted action:, redirect:, or redirectAction: prefix.

The official Apache Struts 2 advisory, found here, “strongly recommends” that customers upgrade to Struts

The Fix

Atlassian states that this vulnerability can be fixed by upgrading Bamboo to either version 4.3.4, 4.4.8 or later. If its customers are unable to upgrade, however, Atlassian recommends that access to the Bamboo server not be allowed from untrusted networks – like the Internet.

If you are an Atlassian Bamboo user and a CloudPassage Halo customer, this recommendation can easily be implemented by leveraging Halo GhostPorts. Using GhostPorts, customers can enforce two-factor authentication to critical Bamboo ports, opening access only to authorized users.

Another recommendation from Atlassian for mitigating the exploitation of this threat vector is to block access to all URLs on a Web Application Firewall or a reverse proxy that contain any of the redirect:, action: or redirect-action: strings. Atlassian provides a partial example for an nginx server that covers the redirect: prefix.

An easy way to validate that your temporary mitigation is employed across all of your nginx servers would be to create a Halo CSM rule to check your nginx configuration file. For the provided Atlassian example, a Halo customer could create a rule that looks similar to the screenshot below:
Bamboo Rule

Some final recommendations

Your CI server likely does not require always-on remote access for the entire Internet, so please restrict access to it. Also, do not rely on mitigations as a long-term solution to a published vulnerability or advisory. Please schedule the upgrade to the latest revision of the Bamboo software as soon as you are able to.

Photo Credit: ◄soundwave► via Compfight cc

Stay up to date on all things security

Subscribe to the Threat Geek Blog