This page last changed on Nov 10, 2008 by alui.

As a distributed application, Bamboo's application-level security is important. This document contains links to version-specific security advisories and related documents for the Bamboo application.

This document is intended to provide information to system administrators about the security of the Bamboo application. It does not address Bamboo's internal security model – user management and permissions – except as it relates to the overall application security.

On this page:

Finding and Reporting a Security Vulnerability

Open an issue on http://jira.atlassian.com in the Bamboo project.

  • Set the priority of the bug to 'Blocker'
  • Provide as much information on reproducing the bug as possible
  • Set the security level of the bug to 'Developer and Reporters only'

All communication about the vulnerability should be performed through JIRA, so we can keep track of the issue and get a patch out as soon as possible.

Publication of Bamboo Security Advisories

When a security issue in Bamboo is discovered and resolved, we will inform customers through the following mechanisms:

  • A security advisory will be posted on this page
  • A copy of the advisory will be sent to the bamboo-users and bamboo-announce mailing-lists (subscribe here). These lists are mirrored on our forums
  • If the person who reported the issue wants to publish an advisory through some other agency (for example, CERT), we'll assist in the production of that advisory, and link to it from our own.
    Latest security advisory:

    Severity Levels

    Atlassian security advisories include a severity level, rating the vulnerability as one of the following:

    • Critical
    • High
    • Moderate
    • Low

    Below is a summary of the factors which we use to decide on the severity level, and the implications for your installation.

    Severity Level: Critical

    We classify a vulnerability as critical if most or all of the following are true:

    • Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices.
    • The information required in order to exploit the vulnerability, such as example code, is widely available to attackers.
    • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
    Severity Level: High

    We give a high severity level to those vulnerabilities which have the potential to become critical, but have one or more mitigating factors that make exploitation less attractive to attackers.

    For example, given a vulnerability which has many characteristics of the critical severity level, we would give it a level of high if any of the following are true:

    • The vulnerability is difficult to exploit.
    • Exploitation does not result in elevated privileges.
    • The pool of potential victims is very small.

    Note: If the mitigating factor arises from a lack of technical details, the severity level would be elevated to critical if those details later became available. If your installation is mission-critical, you may want to treat this as a critical vulnerability.

    Severity Level: Moderate

    We give a moderate severity level to those vulnerabilities where the scales are slightly tipped in favour of the potential victim.

    The following vulnerabilities are typically rated moderate:

    • Denial of service vulnerabilities, since they do not result in compromise of a target.
    • Exploits that require an attacker to reside on the same local network as the victim.
    • Vulnerabilities that affect only nonstandard configurations or obscure applications.
    • Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
    • Vulnerabilities where exploitation provides only very limited access.
    Severity Level: Low

    We give a low severity level to those vulnerabilities which by themselves have typically very little impact on an organisation's infrastructure.

    Exploitation of such vulnerabilities usually requires local or physical system access. Exploitation may result in client-side privacy or denial of service issues and leakage of information about organisational structure, system configuration and versions, or network topology.

    Original ranking compiled by the SANS Institute
    Our vulnerability ranking is based on a scale originally published by the SANS Institute.

    Our Patch Policy

    When a security issue is discovered, we will endeavour to:

    • issue a new, fixed Bamboo version as soon as possible
    • issue a patch to the current stable version of Bamboo
    • issue patches for older versions of Bamboo if feasible

    Patches will generally be attached to the relevant JIRA issue.

    Security Advisories

    Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta)
    Document generated by Confluence on Mar 02, 2009 18:51