Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1903 Debug-mode vulnerability fixed in Atlassian Crowd 28 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Crowd Atlassian Crowd Data Center Publisher: Atlassian Operating System: Virtualisation UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11580 Original Bulletin: https://confluence.atlassian.com/x/3ADVOQ - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/3ADVOQ . CVE ID: * CVE-2019-11580. Product: Crowd and Crowd Data Center. Affected Crowd and Crowd Data Center product versions: 2.1.0 <= version < 3.0.5 3.1.0 <= version < 3.1.6 3.2.0 <= version < 3.2.8 3.3.0 <= version < 3.3.5 3.4.0 <= version < 3.4.4 Fixed Crowd and Crowd Data Center product versions: * Crowd and Crowd Data Center 3.0.5 have been released with a fix for this issue. * for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for this issue. * for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for this issue. * for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for this issue. * for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or 3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected. Customers who have downloaded and installed Crowd and/or Crowd Data Center >= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0 but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5 (the fixed version for 3.3.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x) please upgrade your Crowd and Crowd Data Center installations immediately to fix this vulnerability. pdkinstall development plugin incorrectly enabled - CVE-2019-11580 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CWD-5388 . Fix: To address this issue, we've released the following versions containing a fix: * Crowd and Crowd Data Center version 3.0.5 * Crowd and Crowd Data Center version 3.1.6 * Crowd and Crowd Data Center version 3.2.8 * Crowd and Crowd Data Center version 3.3.5 * Crowd and Crowd Data Center version 3.4.4 Remediation: Atlassian recommends customers running a version of Crowd below version 3.3.0 upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352, for customers running a version above or equal to 3.3.0 Atlassian recommends to upgrade to the latest version. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to 3.4.4, upgrade to version 3.1.6. If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to 3.4.4, upgrade to version 3.2.8. If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to 3.4.4, upgrade to version 3.3.5. For a full description of the latest version of Crowd and Crowd Data Center, see the release notes found at https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can download the latest version of Crowd and Crowd Data Center from the download centre found at https://www.atlassian.com/software/crowd/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. - -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzrEM0XHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCtOQ//Vt54hP/5pUrsEuwSG9KWh334 7ZJvUk14Hp1ZvbD/vsBq7v9j781u3iDGvCg2ADEMqqY9bUqikcRDncbeMKXrDnjS 9pdoGpCUcnfDfbADVGQtL9GTfSsH446JPUDZtLl4sMX0ruZ+wVzfMsWP14yM58II 6AWpG1mFP8YL56Nk/tCb8r08vOl1bPtJj4jj+u9q+nIOMRj1an3UDVprJZb0wUjp oNkxbR4Z8bFKxIK12zKmyXDK2Lu9fzB5R9wBAVsHftE8LTYXyP0i0xW3HtFK1TmS cbHYGuaJJuiNl2QEkTZLwJxE7LWwelrDKZlvUey+EVK4auIOK2uXjzJqqEw57Q3d Ti8jhSQvpHXaFhGHU5bX4G1fQHiGAijnsmqeGzre+cTkckKidokPQ2f0+ULRVods Y1RgdCae3SYyATqMn4m0/h78HZy0pSV+lIFbAxxXVnelo360R1cSv/5Y2gnzxL8H VolsmNkhcLdYJmwtDXL9NQCD3fwi8ZWxbZzhSa8Q86H6ZoBmauCYXCu6EwBDbIDN F94RSXXlsvMlIlQtu602SgEfKdaCWwPLATtgKRZdRD3btMq3RFtKbZOKkTM+OoFT n1LIoKzeHzQkpbf7qoJHk7yLWuvXcUDGYIlY2iV7+tGMMvxtmgK8j/eQVYb88xzc 0etO5CUDmAFgBbwLOZg= =k3M1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXOxgOGaOgq3Tt24GAQj9dA//QvB2ALNt4eGxJm2apGRcldvnKNjKWD5b 2KJx48YnvsHlJUPUpaVXpiN5Ks4XZ3gIJMztCGTysDEFcL/t06fh+Nq/qdRAxMwL d9hPUo+sRQt00K0Q91lDAALOnD/90At9CTpqCQaq84dVTLA/nsfVR6ZmYlWlmPnL +00j4r0OzfHSZcIjHiiN2ckLXYBf/K0SIZ5xPmrz9cwj4T3o+6TPaFKrJEztS1ag Uec+ZxnNAHhH88BAD3lHFgm7DLvkm++Po7NBTUaYKp7YFNHDPlsIf6nPhAQrd1ey fXGtz8JnGFX5PrT+vwFrwsSndRztmPM8hHh8wVWBKksxgB7IyxHnCYlxQjFFQsT1 GlzyuxxShMkMYrpBIQo2xRwyVZgOfSJKZodHiouFGWfdRhyI8Jg3RozYGdR/7alk dFhwWYBtjlhQVr+Xb/KLax+xBq7EZHj3Zmq5DWSAJHtDB4dWR8YXTt3bQGgWmAbz lBhdiLgaUknVL5eDP8oivT5DkFc07bWtw/C7yrLUgOcd7pbJcmQlPILWqshT7swN JzGVk5RfrdSFEgLaIocgV6at5RZ6mIrvJPTH4obTLICyapoYKUIibWO3vKefZCbe MYkmTAGrXUlpoP8gb1cL41bFPIOj87yJFdxZx6dU//ZIYTfOTx1rGTbvbWAsTyIQ rfEGb3AA/XQ= =SjEQ -----END PGP SIGNATURE-----