Crowd Security Advisory 2019-05-22
Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)
要約 | pdkinstall development plugin incorrectly enabled (CVE-2019-11580) |
---|---|
勧告のリリース日 | 10 AM PDT (Pacific Time, -7 hours) |
製品 |
|
影響を受けるバージョン |
|
修正済みバージョン |
|
CVE ID | CVE-2019-11580 |
脆弱性の概要
This advisory discloses a critical severity security vulnerability which was introduced in version 2.1.0 of Crowd and Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Customers who have upgraded Crowd or Crowd Data Center to version 3.0.5 or 3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected.
Customers who are currently running:
- Crowd or Crowd Data Center from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x)
- Crowd or Crowd Data Center from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x)
- Crowd or Crowd Data Center from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x)
- Crowd or Crowd Data Center from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x)
- Crowd or Crowd Data Center from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x)
Please upgrade your Crowd or Crowd Data Center installations immediately to fix this vulnerability.
pdkinstall development plugin incorrectly enabled (CVE-2019-11580)
深刻度
アトラシアンはアトラシアンの深刻度レベルで公開されているスケールに従って、この脆弱性の深刻度レベルを重大として評価しています。このスケールによって、深刻度を重大、高度、中度、低度として評価できます。
これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。
説明
Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
This issue can be tracked here: CWD-5388 - Getting issue details... STATUS
修正
弊社ではこの問題に対応するために次の対応を行いました。
- Released Crowd and Crowd Data Center version 3.4.4 that contains a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download
- Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 that contain a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download-archive
必要なアクション
Atlassian recommends customers running a version of Crowd below version 3.3.0 upgrade to version 3.2.8 to avoid CWD-5352 - Getting issue details... STATUS , for customers running a version above or equal to 3.3.0 Atlassian recommends to upgrade to the latest version. For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download centre.
If you are running version | Then upgrade to bugfix version |
---|---|
2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.8.8, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4 | 3.0.5 |
3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5 | 3.1.6 |
3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7 | 3.2.8 |
3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4 | 3.3.5 |
3.4.0、3.4.1、3.4.2、3.4.3 | 3.4.4 |
問題の軽減策
This issue can be mitigated by doing the following:
- Stop Crowd
- Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
- Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
- Unzip the <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip file
- Delete the pdkinstall-plugin-0.4.jar file inside the extracted folder
- Zip the contents of the folder back into <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
- Start Crowd
- If you have any issues starting Crowd after these changes - clear the plugin cache.
- Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory
The following bash script can be used to apply the above mitigation on Linux systems:
#!/bin/bash
set -u
INSTALLATION_DIRECTORY= # set this to where crowd is installed
DATA_DIRECTORY= # set this to the crowd data directory
if [ -z "$INSTALLATION_DIRECTORY" ]
then
echo "Please set INSTALLATION_DIRECTORY"
exit 1
fi
if [ -z "$DATA_DIRECTORY" ]
then
echo "Please set DATA_DIRECTORY"
exit 1
fi
if test -f $DATA_DIRECTORY; then
echo "Please check that DATA_DIRECTORY is correct."
exit 1
fi
if test -f $INSTALLATION_DIRECTORY/stop_crowd.sh; then
echo "Stopping Crowd"
$INSTALLATION_DIRECTORY/stop_crowd.sh > /dev/null
find $INSTALLATION_DIRECTORY -iname 'atlassian-bundled-plugins.zip' -exec zip -d {} 'pdkinstall-plugin-*.jar' \;
# You should see something like deleting: pdkinstall-plugin-0.4.jar after the above find command has run
find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec rm {} \;
echo "Starting Crowd"
if test -f $INSTALLATION_DIRECTORY/start_crowd.sh; then
$INSTALLATION_DIRECTORY/start_crowd.sh
sleep 60
find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec "Failed to apply the mitigation - {} still exists" \;
else
echo "Failed to start crowd"
fi
else
echo "Unable to stop crowd, please ensure that you have specified the correct installation directory."
fi
サポート
このアドバイザリのメールを受信していないため今後の受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールにご登録ください。
この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。
参考
セキュリティ バグの修正ポリシー | アトラシアンの新しいポリシーに記載のとおり、重大なセキュリティ バグ修正は、https://www.atlassian.com/trust/security/bug-fix-policy に応じてバックポートされます。新しいポリシーの対象バージョンについては、バイナリ パッチではなく新しいメンテナンス リリースが提供されます。 バイナリ パッチのリリースは終了しています。 |
セキュリティの問題の重大度レベル | アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。 |
サポート終了ポリシー | サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 |