[CWD-4790] CVE-2016-6496: LDAP Java Object Injection in Crowd

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.8.8, 2.9.4, 2.9.5, 2.10.1
Affects Version/s: 2.6.7, 2.7.2, 2.8.4, 2.9.3
Component/s: Directory - LDAP
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the LDAPS protocol with the Secure SSL option enabled are immune to this attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).

Affected versions:

All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability.

Fix:

Crowd 2.10.1 is available for download from https://www.atlassian.com/software/crowd/download.
Crowd 2.9.5 is available for download from https://www.atlassian.com/software/crowd/download-archive.
Crowd 2.8.8 is available for download from https://www.atlassian.com/software/crowd/download-archive.

Risk Mitigation:

The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd. See Configuring Crowd to Work with SSL for information on setting up secure transport.

Acknowledgements:
We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us.

For additional details see the full advisory.

is related to

CRUC-7894 Update Embedded Crowd library to version 2.8.8 that contains a fix for CWD-4790

Closed

FE-6714 Update Embedded Crowd library to version 2.8.8 that contains a fix for CWD-4790

Closed

mentioned in: Crowd Security Advisory 2016-10-19; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...

(2 mentioned in)

Form Name

David Black added a comment - 10/Oct/2016 12:53 AM - edited

CVSS v3 score: 9.0 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

See https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H for more details.

David Black added a comment - 10/Oct/2016 12:53 AM - edited CVSS v3 score: 9.0 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High See https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H for more details.

Assignee:: Unassigned

Reporter:: Alvaro Munoz

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 26/Sep/2016 7:05 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 26/Sep/2016 7:29 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 10/Oct/2016 12:53 AM, Edited by David Black - 10/Oct/2016 12:53 AM

Expand comment: David Black added a comment - 10/Oct/2016 12:53 AM, Edited by David Black - 10/Oct/2016 12:53 AM

People

Dates