Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1903
Debug-mode vulnerability fixed in Atlassian Crowd
28 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Crowd
Atlassian Crowd Data Center
Publisher: Atlassian
Operating System: Virtualisation
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11580
Original Bulletin:
https://confluence.atlassian.com/x/3ADVOQ
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This email refers to the advisory found at
https://confluence.atlassian.com/x/3ADVOQ .
CVE ID:
* CVE-2019-11580.
Product: Crowd and Crowd Data Center.
Affected Crowd and Crowd Data Center product versions:
2.1.0 <= version < 3.0.5
3.1.0 <= version < 3.1.6
3.2.0 <= version < 3.2.8
3.3.0 <= version < 3.3.5
3.4.0 <= version < 3.4.4
Fixed Crowd and Crowd Data Center product versions:
* Crowd and Crowd Data Center 3.0.5 have been released with a fix for this
issue.
* for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for
this issue.
* for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for
this issue.
* for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for
this issue.
* for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for
this issue.
Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed
version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for
3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from
version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0
before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or
3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected.
Customers who have downloaded and installed Crowd and/or Crowd Data Center
>= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and
Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x)
or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0
but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and
installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5
(the fixed version for 3.3.x) or who have downloaded and installed Crowd and
Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x)
please upgrade your Crowd and Crowd Data Center installations immediately to
fix this vulnerability.
pdkinstall development plugin incorrectly enabled - CVE-2019-11580
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly
enabled in release builds. Attackers who can send unauthenticated or
authenticated requests to a Crowd or Crowd Data Center instance can exploit this
vulnerability to install arbitrary plugins, which permits remote code execution
on systems running a vulnerable version of Crowd or Crowd Data Center.
Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5
(the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed
version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for
3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from
version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CWD-5388 .
Fix:
To address this issue, we've released the following versions containing a fix:
* Crowd and Crowd Data Center version 3.0.5
* Crowd and Crowd Data Center version 3.1.6
* Crowd and Crowd Data Center version 3.2.8
* Crowd and Crowd Data Center version 3.3.5
* Crowd and Crowd Data Center version 3.4.4
Remediation:
Atlassian recommends customers running a version of Crowd below version 3.3.0
upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352,
for customers running a version above or equal to 3.3.0 Atlassian recommends
to upgrade to the latest version.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to
3.4.4, upgrade to version 3.1.6.
If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to
3.4.4, upgrade to version 3.2.8.
If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to
3.4.4, upgrade to version 3.3.5.
For a full description of the latest version of Crowd and Crowd Data Center,
see
the release notes found at
https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can
download the latest version of Crowd and Crowd Data Center from the download
centre found at https://www.atlassian.com/software/crowd/download.
Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
- -----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzrEM0XHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCtOQ//Vt54hP/5pUrsEuwSG9KWh334
7ZJvUk14Hp1ZvbD/vsBq7v9j781u3iDGvCg2ADEMqqY9bUqikcRDncbeMKXrDnjS
9pdoGpCUcnfDfbADVGQtL9GTfSsH446JPUDZtLl4sMX0ruZ+wVzfMsWP14yM58II
6AWpG1mFP8YL56Nk/tCb8r08vOl1bPtJj4jj+u9q+nIOMRj1an3UDVprJZb0wUjp
oNkxbR4Z8bFKxIK12zKmyXDK2Lu9fzB5R9wBAVsHftE8LTYXyP0i0xW3HtFK1TmS
cbHYGuaJJuiNl2QEkTZLwJxE7LWwelrDKZlvUey+EVK4auIOK2uXjzJqqEw57Q3d
Ti8jhSQvpHXaFhGHU5bX4G1fQHiGAijnsmqeGzre+cTkckKidokPQ2f0+ULRVods
Y1RgdCae3SYyATqMn4m0/h78HZy0pSV+lIFbAxxXVnelo360R1cSv/5Y2gnzxL8H
VolsmNkhcLdYJmwtDXL9NQCD3fwi8ZWxbZzhSa8Q86H6ZoBmauCYXCu6EwBDbIDN
F94RSXXlsvMlIlQtu602SgEfKdaCWwPLATtgKRZdRD3btMq3RFtKbZOKkTM+OoFT
n1LIoKzeHzQkpbf7qoJHk7yLWuvXcUDGYIlY2iV7+tGMMvxtmgK8j/eQVYb88xzc
0etO5CUDmAFgBbwLOZg=
=k3M1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXOxgOGaOgq3Tt24GAQj9dA//QvB2ALNt4eGxJm2apGRcldvnKNjKWD5b
2KJx48YnvsHlJUPUpaVXpiN5Ks4XZ3gIJMztCGTysDEFcL/t06fh+Nq/qdRAxMwL
d9hPUo+sRQt00K0Q91lDAALOnD/90At9CTpqCQaq84dVTLA/nsfVR6ZmYlWlmPnL
+00j4r0OzfHSZcIjHiiN2ckLXYBf/K0SIZ5xPmrz9cwj4T3o+6TPaFKrJEztS1ag
Uec+ZxnNAHhH88BAD3lHFgm7DLvkm++Po7NBTUaYKp7YFNHDPlsIf6nPhAQrd1ey
fXGtz8JnGFX5PrT+vwFrwsSndRztmPM8hHh8wVWBKksxgB7IyxHnCYlxQjFFQsT1
GlzyuxxShMkMYrpBIQo2xRwyVZgOfSJKZodHiouFGWfdRhyI8Jg3RozYGdR/7alk
dFhwWYBtjlhQVr+Xb/KLax+xBq7EZHj3Zmq5DWSAJHtDB4dWR8YXTt3bQGgWmAbz
lBhdiLgaUknVL5eDP8oivT5DkFc07bWtw/C7yrLUgOcd7pbJcmQlPILWqshT7swN
JzGVk5RfrdSFEgLaIocgV6at5RZ6mIrvJPTH4obTLICyapoYKUIibWO3vKefZCbe
MYkmTAGrXUlpoP8gb1cL41bFPIOj87yJFdxZx6dU//ZIYTfOTx1rGTbvbWAsTyIQ
rfEGb3AA/XQ=
=SjEQ
-----END PGP SIGNATURE-----