This is a note of a critical security issue found in some of the libraries Bamboo uses with its on-premises products. This does not affect SharePoint Online/Microsoft 365 customers.
Bamboo uses a standard .NET library to support the User Interface (UI) experience for its products that is developed by Telerik (Telerik .NET Components Suites & UI Libraries)
Telerik noted a security vulnerability as follows: “A vulnerability in Telerik UI for ASP.NET could allow for arbitrary code execution. ASP.NET is an open-source server-side web application framework designed for web development to produce dynamic web pages.” Details of the security flaw can be found here: A Vulnerability in Telerik UI for ASP.NET Could Allow for Arbitrary Code Execution (cisecurity.org)
Since most of our customers are in closed SharePoint services and not accessible to the outside world, we did not address this security issue at first. However, Security teams for our customers have required us to move off this version of Telerik to a version that does not have this vulnerability.
Bamboo has created a hotfix for its products that is available at no charge for customers on active support.
Process for the customer to obtain the hotfix
- Open a support ticket through this link: Submit a request – Bamboo Solutions Knowledge Base (zendesk.com)
- Support will work with you to identify all servers that require the hotfix.
- We can only deploy the hotfix to servers running Bamboo products.
- Servers receiving the hotfix must be properly licensed and on support.
- Support will provide the hotfix and simple instructions for its deployment to each server.
Once deployed, Bamboo products will be updated and using Telerik Version 2021.1.330.45
Please reach out to support if you have any questions or concerns on this matter.