This advisory discloses a critical security vulnerability that exists in all versions of Crowd up to and including 2.4.0. Customers should upgrade their existing Crowd installations to fix this vulnerability. We also provide a patch that you will be able to apply to existing installations of Crowd to fix this vulnerability. However, we recommend that you upgrade your complete Crowd installation rather than applying the patch.
Our thanks to Will Caput and Trevor Hartman who reported the vulnerability in this advisory. Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Critical XML Parsing Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in Crowd that results from the way third-party XML parsers are used in Crowd.
This vulnerability allows an attacker to:
- execute denial of service attacks against the Crowd server, or
- read all local files readable to the system user under which Crowd runs.
All versions of Crowd up to and including 2.4.0 are affected by this vulnerability. This issue can be tracked here: CWD-2797 - Getting issue details... STATUS
Risk Mitigation
We recommend that you upgrade your Crowd installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade or apply patches immediately, you should do all of the following until you can upgrade or patch. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
- Ensure that Crowd URLs cannot be reached from untrusted sources, e.g. configure appropriate firewall or proxy settings.
- Ensure that the operating system user under which Crowd process runs is restricted.
Fix
Upgrade (recommended)
Upgrade to Crowd 2.4.1 or later which fixes this vulnerability. For a full description of this release, see the Crowd 2.4.1 Release Notes. The following releases have also been made available to fix these issues in older Crowd versions. You can download these versions of Crowd from the download centre.
- 2.3.7 for Crowd 2.3
- 2.2.9 for Crowd 2.2
- 2.1.2 for Crowd 2.1
- 2.0.9 for Crowd 2.0
Patches (not recommended)
We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Crowd, you must apply the patch provided for the relevant version of Crowd below to fix the vulnerability described in this advisory.
Download the patch file for your version of Crowd. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first.
Version Patch Crowd 2.4.0 patch-CWD-2797-2.4.0.zip Crowd 2.3.6 patch-CWD-2797-2.3.6.zip - Unzip the patch file to the
atlassian-crowd-x.x.x(wherex.x.xis the Crowd version) directory, overwriting the existing files.