Crowd Security Advisory 2014-05-21
This advisory discloses a critical security vulnerability that we have found in Crowd and fixed in a recent version of Crowd.
- Customers who have downloaded and installed Crowd should upgrade their existing Crowd installations or apply the patch to fix this vulnerability.
- Atlassian OnDemand customers have been upgraded with the fix for the issue described in this advisory.
- No other Atlassian products are affected.
The vulnerability affects all versions of Crowd up to and including 2.7.1.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
ClassLoader manipulation vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.
We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Crowd.
The vulnerability affects all versions of Crowd earlier than and and including 2.7. Crowd 2.5.7, 2.6.7, 2.7.2 are not vulnerable. The issue is tracked in CWD-3904 - Getting issue details... STATUS .
Risk Mitigation.
If you are unable to upgrade your Crowd server you can do the following as a temporary workaround:
Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters. Note that the example does not account for any URL encoding that may be present.
.*[?&](.*\.||.*|\[('|"))(c|C)lass(\.|('|")]|\[).*
Fix
This vulnerability can be fixed by upgrading Crowd. There are no patches available for this vulnerability.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrading Crowd
Upgrade to Crowd 2.5.7, 2.6.7, 2.7.2, or a later version, which fixes this vulnerability. We recommend that you upgrade to the latest version of Crowd, if possible. For a full description of these releases, see the Crowd Release Notes. You can download these versions of Crowd from the download center.