Crucible Security Advisory 2015-01-21
Note: As of September 2014, we no longer issue binary bug patches. Instead we create new maintenance releases for the major versions we backport to. Please see our Security Bug fix Policy for more details.
Date of Advisory: 21st January 2015
Product: Atlassian Crucible
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability that exists in all versions of Crucible up to and including 3.6.1.
- Customers who have downloaded and installed Crucible should upgrade their existing Crucible installations to fix this vulnerability.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered internally by Atlassian.
OGNL Double Evaluation Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the Crucible web interface.
All versions of Crucible up to and including 3.6.1 are affected by this vulnerability. This issue can be tracked here: CRUC-7055 - Getting issue details... STATUS
Risk Mitigation
If you are unable to upgrade your Crucible server you can do the following as a temporary workaround:
- Block access to your Crucible server web interface from untrusted networks, such as the Internet.
Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters.
.*(?:%|%25|\$|%24)(?:[{(]|%7B|%28).*(?:[(#]|%28|%23).*(?:[})]|%7D|%29).*
Fix
Releases 3.5.5, 3.6.2 (and any subsequent newer releases) are available to fix the vulnerability for versions 3.5 and 3.6 respectively. You can download these releases from:
Upgrade (recommended)
The vulnerabilities and fix versions are described in the sections above.
Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of Crucible, see its release notes.
It is advised that you upgrade to the latest version of Crucible, as there are no longer binary patches made available.
Support
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
References
Security Bug fix Policy | As per our new policy, critical security bug fixes will be back ported to major software versions for up to 12 months for FishEye and Crucible. We will release new maintenance releases for the versions covered by the new policy instead of binary patches. Binary patches will no longer be released. |
Severity Levels for security issues | Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. |