Crowd Security Advisory 2016-10-19

Crowd - LDAP Java Object Injection resulting in remote code execution - CVE-2016-6496

要約

CVE-2016-6496 - Crowd LDAP Java Object Injection

勧告のリリース日

 10 AM PDT (Pacific Time, -7 hours)

製品Crowd
Affected Crowd Versions
  • 1.4.1 <= version <  2.8.8
  • 2.9.0 <= version <  2.9.5
Fixed Crowd versions
  • for 2.8.x, Crowd 2.8.8 has been released with a fix for this issue.
  • for 2.9.x, Crowd 2.9.5 has been released with a fix for this issue.
  • for 2.10.x, Crowd 2.10.1 has been released with a fix for this issue.

脆弱性の概要

This advisory discloses a critical severity security vulnerability which was introduced in version 1.4.1 of Crowd. Versions of Crowd starting with 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability. 

 

Atlassian Cloud customers are not affected by the issue described in this advisory.

Customers who have downloaded and installed Crowd >= 1.4.1 less than 2.8.8 (the fixed version for 2.8.x)

Customers who have downloaded and installed Crowd >= 2.9.0 less than 2.9.5 (the fixed version for 2.9.x)

Please upgrade your Crowd installations immediately to fix this vulnerability.

JIRA Core, JIRA Software, JIRA Service Desk, Confluence, Bitbucket Server, FishEye and Crucible installations which do not use SSL/TLS connection to configured LDAP server or allow users to manipulate specific attributes of an LDAP entry are affected by this issue. Atlassian rates the severity level of this vulnerability in these products as high. According to Security Bug fix Policy fixes are included in the last maintenance releases.

Customers who have downloaded and installed JIRA >= 4.3.0 less than 7.2.1 (the fixed version for 7.2.x)

Customers who have downloaded and installed Confluence >= 3.5.0 less than 5.10.6 (the fixed version for 5.10.x)

Customers who have downloaded and installed Bitbucket Server >= 1.3.0 less than 4.10.0 (the fixed version for 4.10.x)

Customers who have downloaded and installed FishEye and Crucible >= 4.0.0 less than 4.2.0 (the fixed version for 4.2.x)

We recommend to upgrade your installations to fix this vulnerability.

 

Crowd LDAP Java Object Injection (CVE-2016-6496)

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers either need to modify an entry in an LDAP directory that Crowd is configured to use or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the LDAPS protocol with the Secure SSL option enabled are immune to the Man-in-The-Middle attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).

All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability. This issue can be tracked here:  CWD-4790 - Getting issue details... STATUS

 

謝辞

We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us.

 

修正

We have taken the following steps to address this issue:

  1. Crowd version 2.10.1 has been released with a fix for this issue.
  2. Crowd version 2.9.5 has been released with a fix for this issue.
  3. Crowd version 2.8.8 has been released with a fix for this issue.
  4. JIRA Core version 7.2.1 has been released with a fix for this issue 
  5. Confluence version 5.10.6 has been released with a fix for this issue
  6. Bitbucket Server version 4.10.0 has been released with a fix for this issue
  7. FishEye and Crucible version 4.2.0 has been released with a fix for this issue


必要なアクション

Upgrade (recommended)

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

 

Upgrade Crowd to version 2.10.1 or higher.

If you are running Crowd 2.9.x and cannot upgrade to Crowd 2.10.1 then upgrade to version 2.9.5.

If you are running Crowd 2.8.x and cannot upgrade to Crowd 2.9.5 then upgrade to version 2.8.8.

For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download center.

Upgrade JIRA Core (this is also required if you are running JIRA Software or JIRA Service Desk) to version 7.2.1 or higher. 

For a full description of the latest version of JIRA Core, see the release notes. You can download the latest version of JIRA from the download center.

Upgrade Confluence to version 5.10.6 or higher. 

For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download center.

Upgrade Bitbucket Server to version 4.10.0 or higher. 

For a full description of the latest version of Bitbucket Server, see the release notes. You can download the latest version of Bitbucket Server from the download center.

Upgrade FishEye and Crucible to version 4.2.0 or higher. 

For a full description of the latest version of FishEye and Crucible, see the release notes. You can download the latest version of FishEye and Crucible from the download center.


問題の軽減策

The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd. 

If you are running Crowd 2.8.x and cannot upgrade to 2.8.8 or 2.9.5 then you can follow these steps to mitigate the issue:

  1. Configure the SSL/TLS connection between an LDAP server and Crowd. See Configuring Crowd to Work with SSL for information on setting up secure transport. 
  2. Restrict modification of LDAP entries by LDAP users. The following restrictions should be implemented:
    • The users should not be able to add additional object classes to their LDAP entries ("javaContainer", "javaObject", "javaNamingReference", "javaSerializedObject", "javaMarshalledObject")
    • The users should not be able to manipulate attributes related to storing Java objects in an LDAP directory ("javaSerializedData", "javaClassName", "javaFactory", "javaCodeBase", "javaReferenceAddress", "javaClassNames", "javaRemoteLocation")

 

サポート

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考

セキュリティ バグの修正ポリシー

Atlassian の新しいポリシーにあるように、重大なセキュリティ バグの修正は、Jira と Confluence のメジャー ソフトウェア バージョンで最大 12 か月さかのぼってバックポートされます。新しいポリシーに挙げるバージョンについては、バイナリ パッチではなく新しいメンテナンス リリースを提供します。

Binary patches will no longer be released. 

セキュリティの問題の重大度レベルアトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。
サポート終了ポリシー サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 
最終更新日: 2016 年 10 月 12 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.