Crowd Security Advisory 2014-05-21

 This advisory discloses a critical security vulnerability that we have found in Crowd and fixed in a recent version of Crowd.

  • Customers who have downloaded and installed Crowd should upgrade their existing Crowd installations or apply the patch to fix this vulnerability.  
  • Atlassian OnDemand のお客様は、このアドバイザリに記載されている問題に対する修正でアップグレードされています。
  • No other Atlassian products are affected.

The vulnerability affects all versions of Crowd up to and including 2.7.1.

アトラシアンは製品セキュリティの向上に取り組んでいます。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com でサポート リクエストを起票してください。

ClassLoader manipulation vulnerability

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Crowd.

The vulnerability affects all versions of Crowd earlier than and and including 2.7. Crowd 2.5.7, 2.6.7, 2.7.2 are not vulnerable. The issue is tracked in  CWD-3904 - Getting issue details... STATUS .

Risk Mitigation.

If you are unable to upgrade your Crowd server you can do the following as a temporary workaround:

  • Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters. Note that the example does not account for any URL encoding that may be present.

    .*[?&](.*\.||.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

修正

This vulnerability can be fixed by upgrading Crowd. There are no patches available for this vulnerability.

セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。 

Upgrading Crowd

Upgrade to Crowd 2.5.7, 2.6.7, 2.7.2, or a later version, which fixes this vulnerability. We recommend that you upgrade to the latest version of Crowd, if possible. For a full description of these releases, see the Crowd Release Notes. You can download these versions of Crowd from the download center.

 

最終更新日: 2014 年 10 月 14 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.