-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Crowd LDAP Java Object Injection
1 November 2016
AusCERT Security Bulletin Summary
Product: Atlassian Crowd
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
CVE Names: CVE-2016-6496
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Note: the current version of this advisory can be found at
* CVE-2016-6496 - Crowd LDAP Java Object Injection
Affected Crowd Versions:
1.4.1 <= version < 2.8.8
2.9.0 <= version < 2.9.5
Fixed Crowd versions:
* for 2.8.x, Crowd 2.8.8 has been released with a fix for this issue.
* for 2.9.x, Crowd 2.9.5 has been released with a fix for this issue.
* for 2.10.x, Crowd 2.10.1 has been released with a fix for this issue.
This advisory discloses a critical severity security vulnerability
which was introduced in version 1.4.1 of Crowd. Versions of Crowd
starting with 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and
from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by
Atlassian Cloud customers are not affected by the issue described in
Customers who have downloaded and installed Crowd >= 1.4.1 less than
2.8.8 (the fixed version for 2.8.x) or Customers who have downloaded
and installed Crowd >= 2.9.0 less than 2.9.5 (the fixed version for
2.9.x) please upgrade your Crowd installations immediately to fix this
JIRA Core, JIRA Software, JIRA Service Desk, Confluence, Bitbucket
Server, FishEye and Crucible installations which do not use SSL/TLS
connection to configured LDAP server or allow users to manipulate
specific attributes of an LDAP entry are affected by this issue.
Atlassian rates the severity level of this vulnerability in these
products as high. According to Security Bug fix Policy fixes are
included in the last maintenance releases.
Customers who have downloaded and installed JIRA >= 4.3.0 less than
7.2.1 (the fixed version for 7.2.x) or who have downloaded and
installed Confluence >= 3.5.0 less than 5.10.6 (the fixed version for
5.10.x) or who have downloaded and installed Bitbucket Server >= 1.3.0
less than 4.10.0 (the fixed version for 4.10.x) or who have downloaded
and installed FishEye and Crucible >= 4.0.0 less than 4.2.0 (the fixed
version for 4.2.x) we recommend to upgrade your installations to fix
Crowd LDAP Java Object Injection (CVE-2016-6496)
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low. This is an independent assessment and you should evaluate its
applicability to your own IT environment.
The Crowd LDAP directory connector allowed an attacker to gain remote
code execution in Crowd by injecting malicious attributes in LDAP
entries. To exploit this issue, attackers either need to modify an
entry in an LDAP directory that Crowd is configured to use or
successfully execute a Man-in-The-Middle attack between an LDAP server
and Crowd. Crowd installations configured to communicate with an LDAP
server using the LDAPS protocol with the Secure SSL option enabled are
immune to the Man-in-The-Middle attack vector only (unless an attacker
is able to obtain the private key of the SSL/TLS certificate used to
secure the communication).
All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for
2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are
affected by this vulnerability. This issue can be tracked here:
We would like to credit Alvaro Munoz and Alexander Mirosh of HPE
Security Fortify for reporting this issue to us.
We have taken the following steps to address this issue:
* Crowd version 2.10.1 has been released with a fix for this issue.
* Crowd version 2.9.5 has been released with a fix for this issue.
* Crowd version 2.8.8 has been released with a fix for this issue.
* JIRA Core version 7.2.1 has been released with a fix for this issue.
* Confluence version 5.10.6 has been released with a fix for this issue.
* Bitbucket Server version 4.10.0 has been released with a fix for this issue.
* FishEye and Crucible version 4.2.0 has been released with a fix for
Upgrade Crowd to version 2.10.1 or higher.
If you are running Crowd 2.9.x and cannot upgrade to Crowd 2.10.1 then
upgrade to version 2.9.5.
If you are running Crowd 2.8.x and cannot upgrade to Crowd 2.9.5 then
upgrade to version 2.8.8.
For a full description of the latest version of Crowd, see the release
notes found at https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html.
You can download the latest version of Crowd from the download centre
found at https://www.atlassian.com/software/crowd/download .
Upgrade JIRA Core (this is also required if you are running JIRA
Software or JIRA Service Desk) to version 7.2.1 or higher.
For a full description of the latest version of JIRA, see the release
notes found at https://confluence.atlassian.com/display/AdminJIRA/JIRA+7.2.x+platform+release+notes
. You can download the latest version of JIRA from the download centre
found at https://www.atlassian.com/software/jira/download .
Upgrade Confluence to version 5.10.6 or higher.
For a full description of the latest version of Confluence, see the
release notes found at
You can download the latest version of Confluence from the download
centre found at https://www.atlassian.com/software/confluence/download
Upgrade Bitbucket Server to version 4.10.0 or higher.
For a full description of the latest version of Bitbucket Server, see
the release notes found at
You can download the latest version of Bitbucket Server from the
download centre found at
Upgrade FishEye and Crucible to version 4.2.0 or higher.
For a full description of the latest version of FishEye and Crucible,
see the release notes found at
. You can download the latest version of FishEye and Crucible from the
download centre found at
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.
- - --
David Black / Security Engineer.
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----