Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2559 Crowd LDAP Java Object Injection 1 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Crowd Publisher: Atlassian Operating System: Linux variants Windows OS X Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-6496 Original Bulletin: https://confluence.atlassian.com/x/wykQMw - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Note: the current version of this advisory can be found at https://confluence.atlassian.com/x/wykQMw . CVE ID: * CVE-2016-6496 - Crowd LDAP Java Object Injection Product: Crowd Affected Crowd Versions: 1.4.1 <= version < 2.8.8 2.9.0 <= version < 2.9.5 Fixed Crowd versions: * for 2.8.x, Crowd 2.8.8 has been released with a fix for this issue. * for 2.9.x, Crowd 2.9.5 has been released with a fix for this issue. * for 2.10.x, Crowd 2.10.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability which was introduced in version 1.4.1 of Crowd. Versions of Crowd starting with 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability. Atlassian Cloud customers are not affected by the issue described in this advisory. Customers who have downloaded and installed Crowd >= 1.4.1 less than 2.8.8 (the fixed version for 2.8.x) or Customers who have downloaded and installed Crowd >= 2.9.0 less than 2.9.5 (the fixed version for 2.9.x) please upgrade your Crowd installations immediately to fix this vulnerability. JIRA Core, JIRA Software, JIRA Service Desk, Confluence, Bitbucket Server, FishEye and Crucible installations which do not use SSL/TLS connection to configured LDAP server or allow users to manipulate specific attributes of an LDAP entry are affected by this issue. Atlassian rates the severity level of this vulnerability in these products as high. According to Security Bug fix Policy fixes are included in the last maintenance releases. Customers who have downloaded and installed JIRA >= 4.3.0 less than 7.2.1 (the fixed version for 7.2.x) or who have downloaded and installed Confluence >= 3.5.0 less than 5.10.6 (the fixed version for 5.10.x) or who have downloaded and installed Bitbucket Server >= 1.3.0 less than 4.10.0 (the fixed version for 4.10.x) or who have downloaded and installed FishEye and Crucible >= 4.0.0 less than 4.2.0 (the fixed version for 4.2.x) we recommend to upgrade your installations to fix this vulnerability. Crowd LDAP Java Object Injection (CVE-2016-6496) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers either need to modify an entry in an LDAP directory that Crowd is configured to use or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the LDAPS protocol with the Secure SSL option enabled are immune to the Man-in-The-Middle attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication). All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/CWD-4790 . Acknowledgements: We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us. Fix: We have taken the following steps to address this issue: * Crowd version 2.10.1 has been released with a fix for this issue. * Crowd version 2.9.5 has been released with a fix for this issue. * Crowd version 2.8.8 has been released with a fix for this issue. * JIRA Core version 7.2.1 has been released with a fix for this issue. * Confluence version 5.10.6 has been released with a fix for this issue. * Bitbucket Server version 4.10.0 has been released with a fix for this issue. * FishEye and Crucible version 4.2.0 has been released with a fix for this issue. Remediation: Upgrade Crowd to version 2.10.1 or higher. If you are running Crowd 2.9.x and cannot upgrade to Crowd 2.10.1 then upgrade to version 2.9.5. If you are running Crowd 2.8.x and cannot upgrade to Crowd 2.9.5 then upgrade to version 2.8.8. For a full description of the latest version of Crowd, see the release notes found at https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html. You can download the latest version of Crowd from the download centre found at https://www.atlassian.com/software/crowd/download . Upgrade JIRA Core (this is also required if you are running JIRA Software or JIRA Service Desk) to version 7.2.1 or higher. For a full description of the latest version of JIRA, see the release notes found at https://confluence.atlassian.com/display/AdminJIRA/JIRA+7.2.x+platform+release+notes . You can download the latest version of JIRA from the download centre found at https://www.atlassian.com/software/jira/download . Upgrade Confluence to version 5.10.6 or higher. For a full description of the latest version of Confluence, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence from the download centre found at https://www.atlassian.com/software/confluence/download . Upgrade Bitbucket Server to version 4.10.0 or higher. For a full description of the latest version of Bitbucket Server, see the release notes found at https://confluence.atlassian.com/display/BitbucketServer/Releases . You can download the latest version of Bitbucket Server from the download centre found at https://www.atlassian.com/software/bitbucket/download . Upgrade FishEye and Crucible to version 4.2.0 or higher. For a full description of the latest version of FishEye and Crucible, see the release notes found at https://confluence.atlassian.com/fisheye/fisheye-releases-298976966.html . You can download the latest version of FishEye and Crucible from the download centre found at https://www.atlassian.com/software/fisheye/download . Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. - - -- David Black / Security Engineer. - -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYDWDNAAoJECQgl6K8Unag6OUP/R3+oXyZG9aBuvz1OxERT3z8 HqVcud728DaTnG/qm+72fQzptxr9O/jwWSW7XPqBopIyFoz0wall5FZvKzeryKob mpFejxvJqh9RDhX5lJDGJFAZPwwTTnVsOde6EjhrUCtRMmbB8y+GZzXCn5gdx4dF ObNMQNHQQom65jwDdtvMCgwDp3/r+3jkky+vKmJGo0GXJiWCmb/GqzWwx+AjpTZZ EHhyd2De3pbTa/x67kIvwMvtqScznNKsECUT+5sh8kieO33gll6la0CKr8g7GzhB 0Stpktbj4Ew/q62PmOxDg9Zg9mAx98Zz/3mnvUqWyTLD/1HsJ1oD5bKF2zjxSwo9 hX+iF+lhD1rHLXMf4kRwjwLDjYdz1o5SpOl1Cv9ihhQeIfRIpIZZww/zn8f3gbFI bVDLzyKe1uAx5IjadSAAogS3xP1XnX8s6x5iq0WG/vP3PUPQIFR6U5VpRTNraJn5 9Ip4LZC13DZSsBxR9aa9aZRAzhAzANilVz0UXttw8QdxuRBTA8xsPPfMExq+Pao6 08RKinZZTfZ9GrMjo/XUIMYxzgitNgXWYbVDj7Lx2dTLyQ47nEyJ6NBBzh8/pIBL PtLu+dlITx8wv4VYtKkb3/fPGcC1X2kkD44a8zNykE1it7RbhLQznrYctAoGwey6 SaB/TyPNJGEBWyIYi+Rb =6M/t - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWBgOKox+lLeg9Ub1AQjY7xAAqEvw2mvBEOsCAk7YKEk9K3p6w7EbiFe5 OxMvQfo4dfTaHRvfJyd2WOj17DGpk5osB0/xmFfJngpA5An0jaqur1h+1206SLcH IlIhrsowIFsZ1uGoJi/Ah8Xw0Xj5xKKYkKMrQNovoI+5FqTHqDQoGCXASjnuKaLu YUExRddOPW4kT+7piTB4UG5pTSzViUGqOA2/cSxcZHMP7ridV4fWVyP4mdbuvFvr S0SJc4gtAtUHKvvYZLX4bG4yaGxpeucODKyer3526Oy/EQALsP8BKrF9QyLZtOUN 2PPtFfJnE7OK+pcXWweWJr/Eyp/q55rADbiTBGsXRkbyhGt+sBInS2QtVZND98p4 5PPOmhC1MohLdH6fDVgj74RwUIA1yDnJxLqA+s4+WCAcQ4E1XLVx8WJH35cghyOS TDitSpB/mMWCGmtC3FUPasTcUGF+pgOpyGUFTE3j8SbTw/f43LieUUfzUWRRQ3wH hfRWyXLDExOJmhbBp0fzzHQewIzBY18vwna6A94URnz+uXargic6zJU9J+90gZBb OyppXy8Sk0nRnqUYOgp1KFKe5hwfIb8Mh6flYk5y8Rf4sklrHrkXgCpuxLti5V31 rrb6Kvz7z5+OvbdjNpcsHRtfVWtaApXNjcuG2LK0RRxFxGhwqpOK1/s5keu11wMf ZzLK8jo20aI= =XcsE -----END PGP SIGNATURE-----