Crowd Security Advisory 2016-10-19
Crowd - LDAP Java Object Injection resulting in remote code execution - CVE-2016-6496
CVE-2016-6496 - Crowd LDAP Java Object Injection
|Advisory Release Date||
10 AM PDT (Pacific Time, -7 hours)
|Affected Crowd Versions||
|Fixed Crowd versions||
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced in version 1.4.1 of Crowd. Versions of Crowd starting with 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability.
Crowd LDAP Java Object Injection (CVE-2016-6496)
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers either need to modify an entry in an LDAP directory that Crowd is configured to use or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the LDAPS protocol with the Secure SSL option enabled are immune to the Man-in-The-Middle attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).
All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability. This issue can be tracked here: CWD-4790 - CVE-2016-6496: LDAP Java Object Injection in Crowd Closed
We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us.
We have taken the following steps to address this issue:
- Crowd version 2.10.1 has been released with a fix for this issue.
- Crowd version 2.9.5 has been released with a fix for this issue.
- Crowd version 2.8.8 has been released with a fix for this issue.
- JIRA Core version 7.2.1 has been released with a fix for this issue
- Confluence version 5.10.6 has been released with a fix for this issue
- Bitbucket Server version 4.10.0 has been released with a fix for this issue
- FishEye and Crucible version 4.2.0 has been released with a fix for this issue
What You Need to Do
The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.
Upgrade Crowd to version 2.10.1 or higher.
If you are running Crowd 2.9.x and cannot upgrade to Crowd 2.10.1 then upgrade to version 2.9.5.
If you are running Crowd 2.8.x and cannot upgrade to Crowd 2.9.5 then upgrade to version 2.8.8.
Upgrade JIRA Core (this is also required if you are running JIRA Software or JIRA Service Desk) to version 7.2.1 or higher.
Upgrade Confluence to version 5.10.6 or higher.
Upgrade Bitbucket Server to version 4.10.0 or higher.
Upgrade FishEye and Crucible to version 4.2.0 or higher.
The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd.
If you are running Crowd 2.8.x and cannot upgrade to 2.8.8 or 2.9.5 then you can follow these steps to mitigate the issue:
- Configure the SSL/TLS connection between an LDAP server and Crowd. See Configuring Crowd to Work with SSL for information on setting up secure transport.
- Restrict modification of LDAP entries by LDAP users. The following restrictions should be implemented:
- The users should not be able to add additional object classes to their LDAP entries ("javaContainer", "javaObject", "javaNamingReference", "javaSerializedObject", "javaMarshalledObject")
- The users should not be able to manipulate attributes related to storing Java objects in an LDAP directory ("javaSerializedData", "javaClassName", "javaFactory", "javaCodeBase", "javaReferenceAddress", "javaClassNames", "javaRemoteLocation")
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
|Security Bug fix Policy||
As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.
Binary patches will no longer be released.
|Severity Levels for security issues||Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|
|End of Life Policy||Our end of life policy varies for different products. Please refer to our EOL Policy for details.|
Was this helpful?
Thanks for your feedback!