Crucible Security Advisory 2010-06-16

The 2.3.3 release of Crucible contains some security related fixes, which are part of the shared FishEye architecture. The following information for FishEye applies equally to Crucible.

The Crucible Download Centre has the updates for Crucible.

In this advisory:

Remote Code Exploit Vulnerability

深刻度

アトラシアンは「セキュリティ問題の重大度レベル」に掲載されている尺度に従って、この脆弱性を重大と判断しています。脆弱性は尺度に従い、重大、高度、中度、低度として評価されます。

Risk Assessment

We have identified and fixed a remote code exploit vulnerability which affects FishEye and Crucible instances.

Vulnerability

This vulnerability allows a motivated attacker to call remote code on the host server.

All versions of FishEye/Crucible up to version 2.3.2 are affected by this vulnerability.

Affected FishEye Versions

可用性を修正

詳細情報

深刻度

All versions up to and including 2.3.2.

2.3.3 update, also available as patches for 2.3.2 and 2.2.3.

This vulnerability allows a motivated attacker to call remote code on the host server.

重要

This vulnerability has been discovered in XWork by OpenSymphony, a command pattern framework which is used by FishEye and Crucible.

About the XWork Framework:

  • See OpenSymphony XWork for more information about XWork.

Risk Mitigation

We strongly recommend either upgrading or patching your FishEye/Crucible installation to fix this vulnerability. Please see the 'Fix' section below.

修正

These issues have been fixed in FishEye 2.3.3 (see the changelog).

It has also been fixed in Crucible 2.3.3 (see the changelog).

Later versions will include protection from this vulnerability.

This fix is also provided as a patch for FishEye/Crucible 2.3.2 and 2.2.3, which you can download from links on this page. Customers on earlier point versions of FishEye/Crucible will have to upgrade to version 2.3.2 or 2.2.3 before applying the patch. Atlassian recommends you upgrade to FishEye/Crucible 2.3.3.

Download Patches for Earlier FishEye / Crucible Versions

These patch releases contain security fixes, which apply to the shared FishEye architecture that is the basis of both FishEye and Crucible.

Please note that these patches are for specific point versions of FishEye (2.3.2 and 2.2.3). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. Atlassian strongly recommends that you upgrade to FishEye 2.3.3 / Crucible 2.3.3 or later.

MD5 checksums are provided to allow verification of the downloaded files.

Patch for FishEye / Crucible 2.3.2

ファイル

FishEye / Crucible Version

リリース日

MD5 Checksum

fisheye-crucible-2.3.2-patch1.zip

2.3.2

16th June, 2010

6fe98db821a6d26f26907688af2ccd84

Patch for FishEye / Crucible 2.2.3

ファイル

FishEye / Crucible Version

リリース日

MD5 Checksum

fisheye-crucible-2.2.3-patch1.zip

2.2.3

16th June, 2010

6fe98db821a6d26f26907688af2ccd84

Our thanks to Meder Kydyraliev of the Google Security Team who discovered this vulnerability. Atlassian fully supports the reporting of vulnerabilities and appreciates it when people work with Atlassian to identify and solve the problem.

最終更新日 2010 年 6 月 16 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.