Crowd
  1. Crowd
  2. CWD-3366

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.8, 2.5.3, 2.6.2, 2.4.9
    • Fix Version/s: 2.5.4, 2.7, 2.6.3
    • Component/s: SOAP
    • Labels:
    • Last commented by user?:
      true

      Description

      Description

      This issue has been assigned CVE-2013-3925 by Mitre Corporation.
      Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
      The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

      Scope

      An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

      A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

      Fix

      Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

      Workaround

      For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See here for instructions for how to apply the patch.

      If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to /crowd/services.

      Patching Instructions moved up here from comment as comment is collapsed.

      Patch instructions

      As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.

      Patching

      The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.

      For example, for Crowd 2.4.2:

      zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
      

      Or you can simply copy the attached xfire-servlet.xml to crowd-webapp/WEB-INF/classes, followed by a Crowd restart.

      Older versions

      With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry:

           <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
               <property name="urlMap">
                   <map>
                       <entry key="/*" value-ref="securityServerService"/>
      -                <entry key="/1/*" value-ref="securityServerService"/>
      -                <entry key="/2/*" value-ref="securityServerService2"/>
      -                <entry key="/latest/*" value-ref="securityServerService2"/>
                   </map>
               </property>
           </bean>
      

      We have documented a security notice regarding this matter at - Crowd Security Notice 2013-07-01

      1. xfire-servlet.xml
        3 kB
        Joseph Walton [Atlassian]

        Issue Links

          Activity

          Thomas Richards created issue -
          Joseph Walton [Atlassian] made changes -
          Field Original Value New Value
          Labels security
          Joseph Walton [Atlassian] made changes -
          Link This issue derived from CWD-3341 [ CWD-3341 ]
          Hide
          Joseph Walton [Atlassian] added a comment - - edited

          Patch instructions

          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.

          Patching

          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.

          For example, for Crowd 2.4.2:

          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          

          Older versions

          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry:

               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          -                <entry key="/1/*" value-ref="securityServerService"/>
          -                <entry key="/2/*" value-ref="securityServerService2"/>
          -                <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          
          Show
          Joseph Walton [Atlassian] added a comment - - edited Patch instructions As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar. Patching The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue. For example, for Crowd 2.4.2: zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml Older versions With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry: <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> <property name="urlMap"> <map> <entry key="/*" value-ref="securityServerService"/> - <entry key="/1/*" value-ref="securityServerService"/> - <entry key="/2/*" value-ref="securityServerService2"/> - <entry key="/latest/*" value-ref="securityServerService2"/> </map> </property> </bean>
          Joseph Walton [Atlassian] made changes -
          Attachment xfire-servlet.xml [ 94422 ]
          Vitaly Osipov [Atlassian] made changes -
          Link This issue relates to CWD-3341 [ CWD-3341 ]
          Vitaly Osipov [Atlassian] made changes -
          Link This issue relates to CWD-3341 [ CWD-3341 ]
          Diego Berrueta [Atlassian] made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Vitaly Osipov [Atlassian] made changes -
          Security Reporters and Developers [ 10071 ]
          Vitaly Osipov [Atlassian] made changes -
          Description This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012) with corresponding Metasploit plugin (hxxp://www.metasploit.com/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc). The metasploit plugin can be "fixed" simply by changing the URL it connects to.
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).
          Vitaly Osipov [Atlassian] made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          The reporter of this issue appears to have published an advisory (on weekend) without notifying Atlassian.

          Show
          Vitaly Osipov [Atlassian] added a comment - The reporter of this issue appears to have published an advisory (on weekend) without notifying Atlassian.
          Vitaly Osipov [Atlassian] made changes -
          Remote Link This issue links to "Wiki Page (Extranet)" [ 44579 ]
          Hide
          Martin Cleaver [Blended Perspectives] added a comment -

          Mentioned on http://it.slashdot.org/story/13/07/01/0011217/backdoor-discovered-in-atlassian-crowd

          This ticket says it affects versions 2.3.8, 2.4.9, 2.5.3, 2.6.2, but I need to be clear: does this affect 2.6.0?

          Does this mean:

          • all 2.3.x versions up to 2.3.8
          • all 2.4.x versions up to 2.4.9
          • all 2.5.x versions up to 2.5.3
          • all 2.6.x versions up to 2.6.2?

          Or ONLY the stated versions? Or only the stated versions are known, anything not stated is as yet unknown?

          I do note that 2.5.4, 2.6.3 & 2.7 are said to be fixed, but that does not answer my question about 2.6.0.

          Thanks,
          Martin.

          Show
          Martin Cleaver [Blended Perspectives] added a comment - Mentioned on http://it.slashdot.org/story/13/07/01/0011217/backdoor-discovered-in-atlassian-crowd This ticket says it affects versions 2.3.8, 2.4.9, 2.5.3, 2.6.2, but I need to be clear: does this affect 2.6.0 ? Does this mean: all 2.3.x versions up to 2.3.8 all 2.4.x versions up to 2.4.9 all 2.5.x versions up to 2.5.3 all 2.6.x versions up to 2.6.2? Or ONLY the stated versions? Or only the stated versions are known, anything not stated is as yet unknown? I do note that 2.5.4, 2.6.3 & 2.7 are said to be fixed, but that does not answer my question about 2.6.0. Thanks, Martin.
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          Martin Cleaver [Blended Perspectives], "all up to" is the correct interpretation. It's not possible to specify that in JIRA, unfortunately.

          Show
          Vitaly Osipov [Atlassian] added a comment - Martin Cleaver [Blended Perspectives] , "all up to" is the correct interpretation. It's not possible to specify that in JIRA, unfortunately.
          Hide
          Martin Cleaver [Blended Perspectives] added a comment -

          Thanks Vitaly.

          Show
          Martin Cleaver [Blended Perspectives] added a comment - Thanks Vitaly.
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          Note that only standalone Crowd product is affected.

          Show
          Vitaly Osipov [Atlassian] added a comment - Note that only standalone Crowd product is affected.
          Hide
          William Crighton [CCC] added a comment -

          Vitaly,
          Question - in order to exploit this vulnerability in standalone crowd instances does the 'exploiter' require direct network access to the crowd server?

          i.e Atlassian customer A exposes a JIRA instance to the internet via ports 80 and 443 - they use Crowd for authentication but do not provide any external access to the Crowd instance.

          Is customer A at risk to 'exploiters' on the internet? Should they patch their Crowd server ASAP?

          Kinda a stupid question but just wanting to make sure.
          Thanks,
          -wc

          Show
          William Crighton [CCC] added a comment - Vitaly, Question - in order to exploit this vulnerability in standalone crowd instances does the 'exploiter' require direct network access to the crowd server? i.e Atlassian customer A exposes a JIRA instance to the internet via ports 80 and 443 - they use Crowd for authentication but do not provide any external access to the Crowd instance. Is customer A at risk to 'exploiters' on the internet? Should they patch their Crowd server ASAP? Kinda a stupid question but just wanting to make sure. Thanks, -wc
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          William Crighton [CCC], an attacker needs direct access to Crowd's REST interface, which is not possible in the scenario you are describing. "Customer A" is not at risk.

          Show
          Vitaly Osipov [Atlassian] added a comment - William Crighton [CCC] , an attacker needs direct access to Crowd's REST interface, which is not possible in the scenario you are describing. "Customer A" is not at risk.
          Denise Unterwurzacher [Atlassian] made changes -
          Status Closed [ 6 ] Open [ 1 ]
          Resolution Fixed [ 1 ]
          Denise Unterwurzacher [Atlassian] made changes -
          Description This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/display/CROWDKB/How+to+Apply+CWD-3366+Patch] for instructions for how to apply the patch.
          Denise Unterwurzacher [Atlassian] made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Vitaly Osipov [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/display/CROWDKB/How+to+Apply+CWD-3366+Patch] for instructions for how to apply the patch.
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/display/CROWDKB/How+to+Apply+CWD-3366+Patch] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.
          William Zanchet [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/display/CROWDKB/How+to+Apply+CWD-3366+Patch] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.
          Ryan Goodwin [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}
          Hide
          Adolfo Guzman added a comment -

          How about Crowd 2.0.6? Is there a patch for that version?

          Show
          Adolfo Guzman added a comment - How about Crowd 2.0.6? Is there a patch for that version?
          Hanis Suhailah [Atlassian] made changes -
          Labels security conf-alpha security
          Hanis Suhailah [Atlassian] made changes -
          Labels conf-alpha security security
          Hanis Suhailah [Atlassian] made changes -
          Labels security conf-alpha security
          Hanis Suhailah [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}

          {panel}
          *We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]*
          {panel}
          Joseph Walton [Atlassian] made changes -
          Link This issue is duplicated by CWD-3411 [ CWD-3411 ]
          Vitaly Osipov [Atlassian] made changes -
          Link This issue is duplicated by CWD-3411 [ CWD-3411 ]
          Joseph Walton [Atlassian] made changes -
          Labels conf-alpha security security
          Hide
          Helen Hung [Atlassian] added a comment -

          Adolfo Guzman, we've issued patches for versions of Crowd that Atlassian currently support. I would recommend that you look into upgrading into a newer version that can be patched / includes the patch.

          Show
          Helen Hung [Atlassian] added a comment - Adolfo Guzman , we've issued patches for versions of Crowd that Atlassian currently support. I would recommend that you look into upgrading into a newer version that can be patched / includes the patch.
          Helen Hung [Atlassian] made changes -
          Remote Link This issue links to "Wiki Page (Extranet)" [ 48393 ]
          Joseph Walton [Atlassian] made changes -
          Link This issue is duplicated by CWD-3532 [ CWD-3532 ]
          Foogie Sim [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}

          {panel}
          *We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]*
          {panel}
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          Or you can simply copy the att

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}

          {panel}
          *We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]*
          {panel}
          Foogie Sim [Atlassian] made changes -
          Description h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          Or you can simply copy the att

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}

          {panel}
          *We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]*
          {panel}
          h3. Description
          This issue has been assigned CVE-2013-3925 by Mitre Corporation.
          Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
          The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

          h3. Scope
          An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

          A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

          h3. Fix
          Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

          h3. Workaround
          For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

          If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

          h3. Patching Instructions moved up here from comment as comment is collapsed.
          h3. Patch instructions
          As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

          h4. Patching
          The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

          For example, for Crowd 2.4.2:
          {noformat}
          zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
          {noformat}

          Or you can simply copy the attached [xfire-servlet.xml|https://jira.atlassian.com/secure/attachment/94422/xfire-servlet.xml] to {{crowd-webapp/WEB-INF/classes}}, followed by a Crowd restart.

          h4. Older versions
          With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key="/*"}} entry:

          {code:lang=none}
               <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
                   <property name="urlMap">
                       <map>
                           <entry key="/*" value-ref="securityServerService"/>
          - <entry key="/1/*" value-ref="securityServerService"/>
          - <entry key="/2/*" value-ref="securityServerService2"/>
          - <entry key="/latest/*" value-ref="securityServerService2"/>
                       </map>
                   </property>
               </bean>
          {code}

          {panel}
          *We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]*
          {panel}

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              26 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                40 weeks, 3 days ago