Medium Description
This issue has been assigned CVE-2013-3925 by Mitre Corporation.
Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).
Scope
An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.
A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.
Fix
Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.
Workaround
For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See here for instructions for how to apply the patch.
If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to /crowd/services.
Patching Instructions moved up here from comment as comment is collapsed.
Patch instructions
As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.
Patching
The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.
For example, for Crowd 2.4.2:
zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
Or you can simply copy the attached xfire-servlet.xml to crowd-webapp/WEB-INF/classes, followed by a Crowd restart.
Older versions
With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry:
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="urlMap">
<map>
<entry key="/*" value-ref="securityServerService"/>
- <entry key="/1/*" value-ref="securityServerService"/>
- <entry key="/2/*" value-ref="securityServerService2"/>
- <entry key="/latest/*" value-ref="securityServerService2"/>
</map>
</property>
</bean>
We have documented a security notice regarding this matter at - Crowd Security Notice 2013-07-01
[CWD-3366] Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network
adolfo.guzman, we've issued patches for versions of Crowd that Atlassian currently support. I would recommend that you look into upgrading into a newer version that can be patched / includes the patch.
Adolfo Guzman
added a comment - How about Crowd 2.0.6? Is there a patch for that version? wcrighton, an attacker needs direct access to Crowd's REST interface, which is not possible in the scenario you are describing. "Customer A" is not at risk.
Vitaly,
Question - in order to exploit this vulnerability in standalone crowd instances does the 'exploiter' require direct network access to the crowd server?
i.e Atlassian customer A exposes a JIRA instance to the internet via ports 80 and 443 - they use Crowd for authentication but do not provide any external access to the Crowd instance.
Is customer A at risk to 'exploiters' on the internet? Should they patch their Crowd server ASAP?
Kinda a stupid question but just wanting to make sure.
Thanks,
-wc
mrjcleaver, "all up to" is the correct interpretation. It's not possible to specify that in JIRA, unfortunately.
Mentioned on http://it.slashdot.org/story/13/07/01/0011217/backdoor-discovered-in-atlassian-crowd
This ticket says it affects versions 2.3.8, 2.4.9, 2.5.3, 2.6.2, but I need to be clear: does this affect 2.6.0?
Does this mean:
- all 2.3.x versions up to 2.3.8
- all 2.4.x versions up to 2.4.9
- all 2.5.x versions up to 2.5.3
- all 2.6.x versions up to 2.6.2?
Or ONLY the stated versions? Or only the stated versions are known, anything not stated is as yet unknown?
I do note that 2.5.4, 2.6.3 & 2.7 are said to be fixed, but that does not answer my question about 2.6.0.
Thanks,
Martin.
Hi @vosipov,
Why would we be seeing the error relating to this patch in our log file for standalone Crowd 2.11.1? Wasn't the update applied to all subsequent versions?