Atlassian admins, your Struts 2 patch has landed

HipChat, Bamboo, and Crowd get fix

Atlassian has joined the growing list of vendors to patch its products against the Apache Struts 2 vulnerability.

Atlassian is one of many downstream vendors to need a patch, and the company has announced its Bamboo, Crowd, and HipChat Server products now have fixes available.

In Atlassian Bamboo, the bug affects versions 5.1.0 to less than 5.14.5 and versions 5.15.0 to less than 5.15.3. Attackers could exploit the Struts 2 bug to execute arbitrary Java code on a target without authentication.

Bamboo fixes are in 5.15.3 (recommended) and 5.14.5.

Atlassian Crowd users need to install version 2.9.7, 2.10.3 or 2.11.1 to plug the bug in their system, and all versions of the HipChat server lower than 2.2.2 need the fix.

The company notes that it has already patched its cloud services.

The Struts 2 bug is a zero-day that was under active attack when it was disclosed: a malicious Content-Type value crashed the framework and gave the attacker remote code execution rights.

One of the earliest public victims of the bug was the Canada Revenue Agency, which had its Web server attacked, but took it offline before the attackers reached any personal data.

Atlassian's advisory is here. ®


Biting the hand that feeds IT © 1998–2017