Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-3366

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 2.3.8, 2.5.3, 2.6.2, 2.4.9
    • Fix Version/s: 2.5.4, 2.7, 2.6.3
    • Component/s: SOAP
    • Labels:
    • Last commented by user?:
      true

      Description

      Description

      This issue has been assigned CVE-2013-3925 by Mitre Corporation.
      Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
      The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

      Scope

      An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

      A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

      Fix

      Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

      Workaround

      For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See here for instructions for how to apply the patch.

      If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to /crowd/services.

      Patching Instructions moved up here from comment as comment is collapsed.

      Patch instructions

      As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.

      Patching

      The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.

      For example, for Crowd 2.4.2:

      zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
      

      Or you can simply copy the attached xfire-servlet.xml to crowd-webapp/WEB-INF/classes, followed by a Crowd restart.

      Older versions

      With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry:

           <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
               <property name="urlMap">
                   <map>
                       <entry key="/*" value-ref="securityServerService"/>
      -                <entry key="/1/*" value-ref="securityServerService"/>
      -                <entry key="/2/*" value-ref="securityServerService2"/>
      -                <entry key="/latest/*" value-ref="securityServerService2"/>
                   </map>
               </property>
           </bean>
      

      We have documented a security notice regarding this matter at - Crowd Security Notice 2013-07-01

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                26 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  3 years, 11 weeks, 4 days ago