FishEye and Crucible Security Advisory 2012-05-17
This advisory discloses a critical security vulnerability that exists in all versions of FishEye and Crucible up to and including 2.7.11.
- Customers who have downloaded and installed FishEye or Crucible should upgrade their existing FishEye and Crucible installations to fix this vulnerability.
- Enterprise ホスト型のお客様は、「Enterprise ホスト型サポート」プロジェクトの http://support.atlassian.com で、サポート リクエストを送信してアップグレードをリクエストする必要があります。
- Jira Studio および Atlassian OnDemand のお客様は、このアドバイザリに記載されている問題の影響を受けることはありません。
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com/ でサポート リクエストを起票してください。
In this advisory:
重大な XML 解析の脆弱性
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We have identified and fixed a vulnerability in FishEye and Crucible that results from the way third-party XML parsers are used in FishEye and Crucible.
This vulnerability allows an attacker to:
- execute denial of service attacks against the FishEye and Crucible server, and
- read all local files readable to the system user under which FishEye and Crucible runs.
An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability.
We recommend that you upgrade your FishEye and Crucible installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately, you should do all of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
- Disable access to the Remote, SOAP and XML-RPC APIs, if these remote APIs are not required. Note that remote API access is disabled by default. See enabling plugins for instructions.
- Disable public access (such as anonymous access and public signup ) to your FishEye or Crucible instance until you have applied the necessary upgrade.
- Ensure that your FishEye/Crucible system user is restricted as described in .
Upgrade to FishEye and Crucible 2.7.12 or later which fixes this vulnerability. For a full description of these releases, see the FishEye and Crucible release notes. The following releases have also been made available to fix these issues in older FishEye and Crucible versions. You can download these versions from the FishEye and Crucible download centres.
- FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6
- FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5
There are no patches available for this vulnerability.