Summary of vulnerability

This advisory discloses a critical-severity security misconfiguration vulnerability, which was introduced in Crowd 3.0.0. All versions released after 3.0.0 are affected but only if both of the following conditions are met:

• the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.

  • A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since

• an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd's REST API under the usermanagement path. As explained above, it can only be exploited by IPs specified under the crowd application’s allowlist in the Remote Addresses configuration. To remediate the vulnerability, Atlassian recommends that you upgrade your instance to one of the fixed versions listed in the ‘Fixed Versions' section below.

This issue can be tracked here:

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Affected versions

All versions of Crowd released after 3.0.0 are affected, which means all new installations running any of the following versions:

• Crowd 3.0.0 - Crowd 3.7.2

• Crowd 4.0.0 - Crowd 4.4.3

• Crowd 5.0.0 - Crowd 5.0.2

As mentioned earlier, only new installations are vulnerable. For example, if you upgraded from version 2.9.1 to 3.0.0, your instance is not affected. But in this case, any default remote addresses that were in version 2.9.1 will be carried over to the instance running version 3.0.0. These can be removed from the Remote Address configuration for the crowd application as well.

Other Atlassian Data Center and Server products that rely on Embedded Crowd for user management are not affected.

Fixed versions

The following table lists releases that include the fix for this vulnerability:

Action required from you

Atlassian recommends that you upgrade your instance to one of the versions listed in the ‘Fixed versions’ section above. For a full description of the latest versions of Crowd, see the release notes. You can download the latest version of Crowd from the download center. For Frequently Asked Questions (FAQ) click here.

Checking if your instance was compromised

You can use the following resources to check if your instance was compromised:

Access logs

Crowd doesn’t offer access logs by default. This information will only be valuable if you configured access logs before a potential exploitation. If you configured the access logs, it should be possible to narrow down the calls to the usermanagement path that do not come from any of other products connected to Crowd. For more info on access logs, see Access logging for Crowd.

Audit log (Data Center only)

Additionally, you can search the Crowd’s audit log for actions done bycrowd. For more info on the audit log, see Browsing the audit log.

Mitigation

To remediate this vulnerability, upgrade each affected product installation to a fixed version listed in the ‘Fixed versions’ section above. If you can’t upgrade Crowd right now, you can use the following temporary fixes.

Removing remote addresses

You can temporarily mitigate the issue by removing or validating any remote addresses for the crowd application in the Crowd product.

To remove the remote addresses:

1. Log in to the Crowd Administration Console.

2. In the top navigation bar, click Applications.

3. In the Application Browser, select the crowd application.

4. In the View Application screen, click the Remote Addresses tab.

5. Remove any remote addresses.

Information about remote addresses that you might see:

• New installations of Crowd 3.0.0 or later shouldn’t have any remote addresses by default.

• Versions earlier than 3.0.0, or instances upgraded from such versions, may have many remote addresses populated by default. These remote addresses can be removed as a good practice since they will not be used after version 3.0.0, but it will not impact the vulnerability mitigation.

Changing the password

Additionally, you can change password for the crowd application to a stronger one, which is especially important if you can’t remove the remote addresses.

To change the password:

1. Log in to the Crowd Administration Console.

2. In the top navigation bar, click Applications.

3. In the Application Browser, select the crowd application.

4. In the Details tab, select Change password.

Acknowledgments

This vulnerability was found during an internal security review by Ashish Kotha.

Support

If you didn’t receive an email regarding this advisory, and you wish to receive such emails in the future, subscribe to Alert emails at https://my.atlassian.com/email.

If you have questions or concerns, please raise a support request at https://support.atlassian.com/.

References

For more information on our bug fix policy or security issues, see the following pages: