FishEye and Crucible Security Advisory 2013-07-16
This advisory discloses security vulnerabilities that we have found in FishEye/Crucible and fixed in a recent version of FishEye/Crucible.
- Customers who have downloaded and installed FishEye/Crucible should upgrade their existing FishEye/Crucible installations to fix this vulnerability.
- Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security.
The vulnerability listed in this advisory is a vulnerability in a third-party framework - Struts 2 / WebWork 2 that is used by FishEye/Crucible. The vulnerability has been independently discovered by Atlassian and reported to the Struts maintainers.
More details about the underlying Struts vulnerability CVE-2013-2251 are available at the CVE database and in the Struts advisory.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
OGNL injection in WebWork 2
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have fixed a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In the case of FishEye/Crucible, the attacker needs to be able to access the FishEye/Crucible web interface. A valid user account is not required to exploit this vulnerability.
Customers should be advised that this affects all versions of FishEye/Crucible, except FishEye/Crucible OnDemand, FishEye/Crucible 2.10.6 and FishEye/Crucible 3.0.2 or later. The issue can be tracked here: FE-4729 - Getting issue details... STATUS
Risk Mitigation
If you are unable to upgrade or patch your FishEye or Crucible server: as a temporary workaround, you can do the following:
Block access to all URLs on a Web Application Firewall or a reverse proxy that contain any of the following strings: "
redirect:
", "action:
" or "redirect-action:
" strings. A partial example for annginx
server is below. Note that the example only covers the "redirect:
" prefix and does not account for any URL encoding that may be present.location ~* ^/<path to your FishEye>/ { if ($args ~* "redirect:") { return 403; } proxy_pass http://$host.internal$request_uri; }
or
- Block access to your FishEye or Crucible server from untrusted networks, such as the Internet.
Fix
This vulnerability can be fixed by upgrading FishEye/Crucible. There are no patches available for this vulnerability — for any questions, please raise a support request at http://support.atlassian.com/.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrading FishEye/Crucible
The fix versions for this vulnerability are described in the 'Description' section above.
We recommend that you upgrade to the latest version of FishEye/Crucible, if possible. For a full description of the latest version of FishEye/Crucible, see the release notes: Fisheye releases / Crucible release notes. You can download the latest version of FishEye/Crucible from the download centre: FishEye only / FishEye and Crucible. Additionally, if you have large repositories you may want to take a look at the our guide to Avoiding Long Reindex Times When Upgrading.