FishEye Security Advisory 2010-05-04
In this advisory:
Admin Escalation Vulnerability
Severity
Atlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed an admin escalation vulnerability, which affects FishEye instances. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of FishEye.
Vulnerability
This vulnerability allows a motivated attacker to perform admin actions.
All versions of FishEye from version 1.6.0-beta2 (including 1.6.0) through to 2.2.1 are affected by these admin escalation vulnerabilities.
Affected FishEye Versions | Fix Availability | More Details | Severity |
|---|---|---|---|
All versions up to and including 2.2.1 | 2.2.3 update, also available as patches for certain versions, listed on this page. | This vulnerability allows a motivated attacker to perform admin actions. | Critical |
Risk Mitigation
We strongly recommend either upgrading or patching your FishEye installation to fix this vulnerability. Please see the 'Fix' section below.
Note: If you are an Atlassian JIRA Studio customer, we have assessed that your system is secure and implemented additional protections for it.
Fix
These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre. Later versions will include protection from this vulnerability.
This fix is also provided as a patch for FishEye 2.1.4, 2.0.6 and 1.6.6, which you can download from this page. Customers on earlier point versions of FishEye will have to upgrade to version 2.1.4, 2.0.6 or 1.6.6 before applying the patch. We recommend you upgrade to FishEye 2.2.3.
XSS Vulnerabilities in FishEye
Severity
Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed several cross-site scripting (XSS) vulnerabilities in FishEye, which may affect FishEye instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of FishEye.
- The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
- The attacker's text and script might be displayed to other people viewing a FishEye page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Vulnerability
All versions of FishEye are affected by these XSS vulnerabilities.
Affected FishEye Versions | Fix Availability | More Details | Severity |
|---|---|---|---|
All versions up to and including 2.2.1 | 2.2.3 only | An attacker could take advantage of this vulnerability to steal other users' session cookies or other credentials, or the attacker's text and script might be displayed to other people viewing a FishEye page. | Critical |
Risk Mitigation
We strongly recommend upgrading your FishEye installation to fix these vulnerabilities. Please see the 'Fix' section below.
Fix
These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre.
Prevention of Brute Force Attacks
Severity
Atlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
We have improved the security of the following areas in FishEye:
- Prevention of brute force attacks by requiring users to solve a CAPTCHA test after a maximum number of repeated login attempts.
Vulnerability
We have identified and fixed a problem where FishEye allows an unlimited number of repeated login attempts, potentially opening FishEye to a brute force attack. Details of this improvement are summarised below.
Affected FishEye Versions | Fix Availability | More Details | Severity |
|---|---|---|---|
All versions up to and including 2.2.1 | 2.2.3 only | FishEye allows an unlimited number of login attempts. This makes FishEye vulnerable to a brute force attack. | Moderate |
Risk Mitigation
We recommend that you upgrade your FishEye installation to fix these vulnerabilities. Please see the 'fix' section below.
You can also prevent brute force attacks by following our guidelines on using Fail2Ban to limit login attempts.
Fix
This issue has been fixed in FishEye 2.2.3 (see the changelog). Later versions will include protection from this vulnerability. You can download FishEye 2.2.3 from the download centre.
Changed Behaviour in FishEye
In order to fix these issues, we have changed FishEye's behaviour as follows:
- After three consecutive failed login attempts, FishEye will display a CAPTCHA form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks via the login screen. The number of failed attempts needed to trigger the CAPTCHA testing is configurable. For more information, see the documentation for Brute force login protection.
In addition, after three consecutive failed login attempts via the FishEye remote API, an error message will be returned. Human intervention will then be required to reset that login account, i.e. solve the CAPTCHA test via the login screen.
Download Patches for Earlier FishEye / Crucible Versions
These patch releases contain security fixes, which apply to the shared FishEye architecture that is the basis of both FishEye and Crucible.
These patches fix the Admin Escalation vulnerability only. Please note that these patches are for specific older point versions of FishEye (2.1.4, 2.0.6 or 1.6.6). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. To update a more recent version of the product (2.1.5 through 2.2.1), please upgrade to FishEye 2.2.3 or later. Atlassian strongly recommends that you upgrade to FishEye 2.2.3 or later.
MD5 checksums are provided to allow verification of the downloaded files.
Patch for FishEye / Crucible 2.1.4
File | FishEye / Crucible Version | Release Date | MD5 Checksum |
|---|---|---|---|
2.1.4 | 4th May, 2010 | 6062fa2e1ad93729527357fb97b0d2ea |
Patch for FishEye / Crucible 2.0.6
File | FishEye / Crucible Version | Release Date | MD5 Checksum |
|---|---|---|---|
2.0.6 | 4th May, 2010 | 6aae75e2a5308121887bf9532473cf75 |
Patch for FishEye 1.6.6
File | FishEye Version | Release Date | MD5 Checksum |
|---|---|---|---|
1.6.6 | 4th May, 2010 | 210ef3358aff83861733f8f22d331d7e |
Patch for Crucible 1.6.6
File | Crucible Version | Release Date | MD5 Checksum |
|---|---|---|---|
1.6.6 | 4th May, 2010 | 48e8e8ada0ddb3fc8671459051df1120 |
To acquire all of the fixes on this page, upgrade to FishEye 2.2.3, which you can download from the download centre.