This issue has been assigned CVE-2013-3925 by Mitre Corporation.
Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).
An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.
A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.
Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.
For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See here for instructions for how to apply the patch.
If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to /crowd/services.
As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.
The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.
For example, for Crowd 2.4.2:
Or you can simply copy the attached xfire-servlet.xml to crowd-webapp/WEB-INF/classes, followed by a Crowd restart.
With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry: