FishEye and Crucible Security Advisory 2012-05-17
This advisory discloses a critical security vulnerability that exists in all versions of FishEye and Crucible up to and including 2.7.11.
- Customers who have downloaded and installed FishEye or Crucible should upgrade their existing FishEye and Crucible installations to fix this vulnerability.
- Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
- JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Critical XML Parsing Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in FishEye and Crucible that results from the way third-party XML parsers are used in FishEye and Crucible.
This vulnerability allows an attacker to:
- execute denial of service attacks against the FishEye and Crucible server, and
- read all local files readable to the system user under which FishEye and Crucible runs.
An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability.
All versions of FishEye and Crucible up to and including 2.7.11 are affected by this vulnerability. This issue can be tracked here: FE-4016 - Getting issue details... STATUS
Risk Mitigation
We recommend that you upgrade your FishEye and Crucible installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately, you should do all of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
- Disable access to the Remote, SOAP and XML-RPC APIs, if these remote APIs are not required. Note that remote API access is disabled by default. See enabling plugins for instructions.
- Disable public access (such as anonymous access and public signup ) to your FishEye or Crucible instance until you have applied the necessary upgrade.
- Ensure that your FishEye/Crucible system user is restricted as described in best practices for configuring FishEye security.
Fix
Upgrade
Upgrade to FishEye and Crucible 2.7.12 or later which fixes this vulnerability. For a full description of these releases, see the FishEye and Crucible release notes. The following releases have also been made available to fix these issues in older FishEye and Crucible versions. You can download these versions from the FishEye and Crucible download centres.
- FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6
- FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5
Patches
There are no patches available for this vulnerability.