FishEye Security Advisory 2015-01-21

Note: As of September 2014, we no longer issue binary bug patches. Instead we create new maintenance releases for the major versions we backport to. Please see our Security Bug fix Policy for more details.

Date of Advisory: 21st January 2015

Product: Atlassian FishEye

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability that exists in all versions of FishEye up to and including 3.6.1.

  • Customers who have downloaded and installed FishEye should upgrade their existing FishEye installations to fix this vulnerability.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered internally by Atlassian.

OGNL Double Evaluation Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the FishEye web interface.

All versions of FishEye up to and including 3.6.1 are affected by this vulnerability. This issue can be tracked here:  FE-5459 - OGNL Double Evaluation Vulnerability Closed

Risk Mitigation

If you are unable to upgrade your FishEye server you can do the following as a temporary workaround:

  • Block access to your FishEye server web interface from untrusted networks, such as the Internet.
  • Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters.

    .*(?:%|%25|\$|%24)(?:[{(]|%7B|%28).*(?:[(#]|%28|%23).*(?:[})]|%7D|%29).*

Fix

Releases 3.5.5, 3.6.2 (and any subsequent newer releases) are available to fix the vulnerability for versions 3.5 and 3.6 respectively. You can download these releases from:

Upgrade (recommended)

The vulnerabilities and fix versions are described in the sections above.

Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of FishEye, see its release notes.

It is advised that you upgrade to the latest version of FishEye, as there are no longer binary patches made available.

Support

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy, critical security bug fixes will be back ported to major software versions for up to 12 months for FishEye and FishEye.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released.
Severity Levels for security issues Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport