Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5802

Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

XMLWordPrintable

    • 8.1
    • High
    • CVE-2020-9493

      The version of log4j used by Crowd has been updated from version 1.2.7-atlassian-3 to 1.2.7-atlassian-16 to address the following vulnerabilities:

      CVE-2021-4104
      JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has remediated this vulnerability by preventing external JNDI lookups in the Atlassian version of log4j

      CVE-2020-9493 and CVE-2022-23307
      Apache Chainsaw is bundled with log4j 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has remediated this vulnerability by removing Chainsaw from the Atlassian version of log4j.

      CVE-2022-23302
      JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has remediated this vulnerability by removing JMSSink from the Atlassian version of log4j.

      CVE-2022-23305
      JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter (%m). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Crowd. Atlassian has remediated this vulnerability by removing JDBCAppender from the Atlassian version of log4j.

      Affected versions of Crowd:

      • Versions < 5.0.0

      Fixed versions of Crowd:

      • Versions >= 5.0.0

            [CWD-5802] Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 8.1 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity High
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 8.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: