Crucible Security Advisory 2010-05-04

The 2.2.3 release of Crucible contains some security related fixes, which are part of the shared FishEye architecture. The following information for FishEye applies equally to Crucible.

The Crucible Download Centre has the updates for Crucible.

In this advisory:

Admin Escalation Vulnerability

Severity

Atlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed an admin escalation vulnerability, which affects FishEye instances. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of FishEye.

Vulnerability

This vulnerability allows a motivated attacker to perform admin actions.

All versions of FishEye from version 1.6.0-beta2 (including 1.6.0) through to 2.2.1 are affected by these admin escalation vulnerabilities.

Affected FishEye Versions

Fix Availability

More Details

Severity

All versions up to and including 2.2.1

2.2.3 update, also available as patches for certain versions, listed on this page.

This vulnerability allows a motivated attacker to perform admin actions.

Critical

Risk Mitigation

We strongly recommend either upgrading or patching your FishEye installation to fix this vulnerability. Please see the 'Fix' section below.

Note: If you are an Atlassian JIRA Studio customer, we have assessed that your system is secure and implemented additional protections for it.

Fix

These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre. Later versions will include protection from this vulnerability.

This fix is also provided as a patch for FishEye 2.1.4, 2.0.6 and 1.6.6, which you can download from this page. Customers on earlier point versions of FishEye will have to upgrade to version 2.1.4, 2.0.6 or 1.6.6 before applying the patch. We recommend you upgrade to FishEye 2.2.3.

XSS Vulnerabilities in FishEye

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities in FishEye, which may affect FishEye instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of FishEye.

  • The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
  • The attacker's text and script might be displayed to other people viewing a FishEye page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

All versions of FishEye are affected by these XSS vulnerabilities.

Affected FishEye Versions

Fix Availability

More Details

Severity

All versions up to and including 2.2.1

2.2.3 only

An attacker could take advantage of this vulnerability to steal other users' session cookies or other credentials, or the attacker's text and script might be displayed to other people viewing a FishEye page.

Critical

Risk Mitigation

We strongly recommend upgrading your FishEye installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

These issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre.

Prevention of Brute Force Attacks

Severity

Atlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues.

Risk Assessment

We have improved the security of the following areas in FishEye:

  • Prevention of brute force attacks by requiring users to solve a CAPTCHA test after a maximum number of repeated login attempts.

Vulnerability

We have identified and fixed a problem where FishEye allows an unlimited number of repeated login attempts, potentially opening FishEye to a brute force attack. Details of this improvement are summarised below.

Affected FishEye Versions

Fix Availability

More Details

Severity

All versions up to and including 2.2.1

2.2.3 only

FishEye allows an unlimited number of login attempts. This makes FishEye vulnerable to a brute force attack.

Moderate

Risk Mitigation

We recommend that you upgrade your FishEye installation to fix these vulnerabilities. Please see the 'fix' section below.

You can also prevent brute force attacks by following our guidelines on using Fail2Ban to limit login attempts.

Fix

This issue has been fixed in FishEye 2.2.3 (see the changelog). Later versions will include protection from this vulnerability. You can download FishEye 2.2.3 from the download centre.

Changed Behaviour in FishEye

In order to fix these issues, we have changed FishEye's behaviour as follows:

  • After three consecutive failed login attempts, FishEye will display a CAPTCHA form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks via the login screen. The number of failed attempts needed to trigger the CAPTCHA testing is configurable. For more information, see the documentation for Brute force login protection.

In addition, after three consecutive failed login attempts via the FishEye remote API, an error message will be returned. Human intervention will then be required to reset that login account, i.e. solve the CAPTCHA test via the login screen.

Download Patches for Earlier FishEye / Crucible Versions

These patch releases contain security fixes, which apply to the shared FishEye architecture that is the basis of both FishEye and Crucible.

These patches fix the Admin Escalation vulnerability only. Please note that these patches are for specific older point versions of FishEye (2.1.4, 2.0.6 or 1.6.6). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. To update a more recent version of the product (2.1.5 through 2.2.1), please upgrade to FishEye 2.2.3 or later. Atlassian strongly recommends that you upgrade to FishEye 2.2.3 or later.

MD5 checksums are provided to allow verification of the downloaded files.

Patch for FishEye / Crucible 2.1.4

File

FishEye / Crucible Version

Release Date

MD5 Checksum

fisheye-crucible-2.1.4-patch1.zip

2.1.4

4th May, 2010

6062fa2e1ad93729527357fb97b0d2ea

Patch for FishEye / Crucible 2.0.6

File

FishEye / Crucible Version

Release Date

MD5 Checksum

fisheye-crucible-2.0.6-patch1.zip

2.0.6

4th May, 2010

6aae75e2a5308121887bf9532473cf75

Patch for FishEye 1.6.6

File

FishEye Version

Release Date

MD5 Checksum

fisheye-1.6.6-patch1.zip

1.6.6

4th May, 2010

210ef3358aff83861733f8f22d331d7e

Patch for Crucible 1.6.6

File

Crucible Version

Release Date

MD5 Checksum

crucible-1.6.6-patch1.zip

1.6.6

4th May, 2010

48e8e8ada0ddb3fc8671459051df1120

(info) To acquire all of the fixes on this page, upgrade to FishEye 2.2.3, which you can download from the download centre.

Last modified on May 4, 2010

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.