FishEye Security Advisory 2010-05-04

In this advisory:

Admin Escalation Vulnerability

深刻度

アトラシアンは「セキュリティ問題の重大度レベル」に掲載されている尺度に従って、この脆弱性を重大と判断しています。脆弱性は尺度に従い、重大、高度、中度、低度として評価されます。

Risk Assessment

We have identified and fixed an admin escalation vulnerability, which affects FishEye instances. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of FishEye.

Vulnerability

This vulnerability allows a motivated attacker to perform admin actions.

All versions of FishEye from version 1.6.0-beta2 (including 1.6.0) through to 2.2.1 are affected by these admin escalation vulnerabilities.

Affected FishEye Versions

可用性を修正

詳細情報

深刻度

2.2.1 を含むすべてのバージョン。

2.2.3 update, also available as patches for certain versions, listed on this page.

This vulnerability allows a motivated attacker to perform admin actions.

重要

Risk Mitigation

We strongly recommend either upgrading or patching your FishEye installation to fix this vulnerability. Please see the 'Fix' section below.

Note: If you are an Atlassian JIRA Studio customer, we have assessed that your system is secure and implemented additional protections for it.

修正

These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre. Later versions will include protection from this vulnerability.

This fix is also provided as a patch for FishEye 2.1.4, 2.0.6 and 1.6.6, which you can download from this page. Customers on earlier point versions of FishEye will have to upgrade to version 2.1.4, 2.0.6 or 1.6.6 before applying the patch. We recommend you upgrade to FishEye 2.2.3.

XSS Vulnerabilities in FishEye

深刻度

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities in FishEye, which may affect FishEye instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of FishEye.

  • 攻撃者は、この脆弱性を利用して他のユーザーのセッション クッキーやその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
  • The attacker's text and script might be displayed to other people viewing a FishEye page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

All versions of FishEye are affected by these XSS vulnerabilities.

Affected FishEye Versions

可用性を修正

詳細情報

深刻度

2.2.1 を含むすべてのバージョン。

2.2.3

An attacker could take advantage of this vulnerability to steal other users' session cookies or other credentials, or the attacker's text and script might be displayed to other people viewing a FishEye page.

重要

Risk Mitigation

We strongly recommend upgrading your FishEye installation to fix these vulnerabilities. Please see the 'Fix' section below.

修正

These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre.

Prevention of Brute Force Attacks

深刻度

Atlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues.

Risk Assessment

We have improved the security of the following areas in FishEye:

  • Prevention of brute force attacks by requiring users to solve a CAPTCHA test after a maximum number of repeated login attempts.

Vulnerability

We have identified and fixed a problem where FishEye allows an unlimited number of repeated login attempts, potentially opening FishEye to a brute force attack. Details of this improvement are summarised below.

Affected FishEye Versions

可用性を修正

詳細情報

深刻度

2.2.1 を含むすべてのバージョン。

2.2.3

FishEye allows an unlimited number of login attempts. This makes FishEye vulnerable to a brute force attack.

中程度

Risk Mitigation

We recommend that you upgrade your FishEye installation to fix these vulnerabilities. Please see the 'fix' section below.

You can also prevent brute force attacks by following our guidelines on using Fail2Ban to limit login attempts.

修正

This issue has been fixed in FishEye 2.2.3 (see the changelog). Later versions will include protection from this vulnerability. You can download FishEye 2.2.3 from the download centre.

Changed Behaviour in FishEye

In order to fix these issues, we have changed FishEye's behaviour as follows:

  • After three consecutive failed login attempts, FishEye will display a CAPTCHA form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks via the login screen. The number of failed attempts needed to trigger the CAPTCHA testing is configurable. For more information, see the documentation for Brute force login protection.

In addition, after three consecutive failed login attempts via the FishEye remote API, an error message will be returned. Human intervention will then be required to reset that login account, i.e. solve the CAPTCHA test via the login screen.

Download Patches for Earlier FishEye / Crucible Versions

These patch releases contain security fixes, which apply to the shared FishEye architecture that is the basis of both FishEye and Crucible.

These patches fix the Admin Escalation vulnerability only. Please note that these patches are for specific older point versions of FishEye (2.1.4, 2.0.6 or 1.6.6). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. To update a more recent version of the product (2.1.5 through 2.2.1), please upgrade to FishEye 2.2.3 or later. Atlassian strongly recommends that you upgrade to FishEye 2.2.3 or later.

MD5 checksums are provided to allow verification of the downloaded files.

Patch for FishEye / Crucible 2.1.4

ファイル

FishEye / Crucible Version

リリース日

MD5 Checksum

fisheye-crucible-2.1.4-patch1.zip

2.1.4

4th May, 2010

6062fa2e1ad93729527357fb97b0d2ea

Patch for FishEye / Crucible 2.0.6

ファイル

FishEye / Crucible Version

リリース日

MD5 Checksum

fisheye-crucible-2.0.6-patch1.zip

2.0.6

4th May, 2010

6aae75e2a5308121887bf9532473cf75

Patch for FishEye 1.6.6

ファイル

FishEye Version

リリース日

MD5 Checksum

fisheye-1.6.6-patch1.zip

1.6.6

4th May, 2010

210ef3358aff83861733f8f22d331d7e

Patch for Crucible 1.6.6

ファイル

Crucible Version

リリース日

MD5 Checksum

crucible-1.6.6-patch1.zip

1.6.6

4th May, 2010

48e8e8ada0ddb3fc8671459051df1120

(info) To acquire all of the fixes on this page, upgrade to FishEye 2.2.3, which you can download from the download centre.

最終更新日 2014 年 8 月 12 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.