-
Bug
-
Resolution: Fixed
-
Highest
-
2.6.7, 2.7.2, 2.8.4, 2.9.3
-
Severity 1 - Critical
-
The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the LDAPS protocol with the Secure SSL option enabled are immune to this attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).
Affected versions:
- All versions of Crowd from 1.4.1 before 2.8.8 (the fixed version for 2.8.x) and from 2.9.0 before 2.9.5 (the fixed version for 2.9.x) are affected by this vulnerability.
Fix:
- Crowd 2.10.1 is available for download from https://www.atlassian.com/software/crowd/download.
- Crowd 2.9.5 is available for download from https://www.atlassian.com/software/crowd/download-archive.
- Crowd 2.8.8 is available for download from https://www.atlassian.com/software/crowd/download-archive.
Risk Mitigation:
- The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd. See Configuring Crowd to Work with SSL for information on setting up secure transport.
Acknowledgements:
We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us.
For additional details see the full advisory.
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CWD-4790] CVE-2016-6496: LDAP Java Object Injection in Crowd
| Labels | Original: CVE-2016-6496 advisory cvss-critical security | New: CVE-2016-6496 advisory cvss-critical injection ldap-injection security |
| Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 1604209 ] | New: JAC Bug Workflow v3 [ 3365781 ] |
| Symptom Severity | Original: Critical [ 14430 ] | New: Severity 1 - Critical [ 15830 ] |
| Security | Original: Reporter and Atlassian Staff [ 10751 ] |
| Description |
Original:
The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the *LDAPS* protocol with the *Secure SSL* option enabled are immune to this attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).
*Affected versions:* * All versions of Crowd from *1.4.1* before *2.8.8* (the fixed version for 2.8.x) and from *2.9.0* before *2.9.4* (the fixed version for 2.9.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.10.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.9.4 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.8.8 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. *Risk Mitigation:* * The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd. See [Configuring Crowd to Work with SSL|https://confluence.atlassian.com/crowd/configuring-crowd-to-work-with-ssl-151520306.html] for information on setting up secure transport. \\ *Acknowledgements:* We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us. \\ For additional details see the [full advisory|https://confluence.atlassian.com/x/wykQMw]. |
New:
The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP server and Crowd. Crowd installations configured to communicate with an LDAP server using the *LDAPS* protocol with the *Secure SSL* option enabled are immune to this attack vector only (unless an attacker is able to obtain the private key of the SSL/TLS certificate used to secure the communication).
*Affected versions:* * All versions of Crowd from *1.4.1* before *2.8.8* (the fixed version for 2.8.x) and from *2.9.0* before *2.9.5* (the fixed version for 2.9.x) are affected by this vulnerability. *Fix:* * *Crowd* 2.10.1 is available for download from [https://www.atlassian.com/software/crowd/download]. * *Crowd* 2.9.5 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. * *Crowd* 2.8.8 is available for download from [https://www.atlassian.com/software/crowd/download-archive]. *Risk Mitigation:* * The issue can be mitigated by restricting modifications of LDAP entries by LDAP users and configuring SSL/TLS connection between an LDAP Server and Crowd. See [Configuring Crowd to Work with SSL|https://confluence.atlassian.com/crowd/configuring-crowd-to-work-with-ssl-151520306.html] for information on setting up secure transport. \\ *Acknowledgements:* We would like to credit Alvaro Munoz and Alexander Mirosh of HPE Security Fortify for reporting this issue to us. \\ For additional details see the [full advisory|https://confluence.atlassian.com/x/wykQMw]. |
| Fix Version/s | New: 2.9.5 [ 64201 ] |
| Reporter | Original: alexmin [ aminozhenko ] | New: Alvaro Munoz [ a0293d379a6e ] |
| Remote Link | New: This issue links to "Page (Extranet)" [ 214309 ] |
