[CWD-5802] Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.3.8, 4.4.2, 5.0.0
Affects Version/s: 4.2.5, 4.3.7, 4.4.1
Component/s: None
Labels:

CVSS Score:
8.1
CVSS Severity:
High
CVE ID:
CVE-2020-9493

The version of log4j used by Crowd has been updated from version 1.2.7-atlassian-3 to 1.2.7-atlassian-16 to address the following vulnerabilities:

CVE-2021-4104
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has remediated this vulnerability by preventing external JNDI lookups in the Atlassian version of log4j.

CVE-2020-9493 and CVE-2022-23307
Apache Chainsaw is bundled with log4j 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has remediated this vulnerability by removing Chainsaw from the Atlassian version of log4j.

CVE-2022-23302
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has remediated this vulnerability by removing JMSSink from the Atlassian version of log4j.

CVE-2022-23305
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter (%m). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Crowd. Atlassian has remediated this vulnerability by removing JDBCAppender from the Atlassian version of log4j.

Affected versions of Crowd:

Versions < 5.0.0

Fixed versions of Crowd:

Versions >= 5.0.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Cathy S made changes - 09/Nov/2022 7:42 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 705256 ]

Cathy S made changes - 02/Nov/2022 12:51 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 702995 ]

Cathy S made changes - 27/Oct/2022 2:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 701570 ]

Esteban Casuscelli made changes - 05/Jul/2022 3:20 PM

Fix Version/s		New: 4.4.2 [ 101710 ]
Fix Version/s		New: 4.3.8 [ 101709 ]

Security Metrics Bot made changes - 19/Jun/2022 8:28 PM

CVE ID

New: CVE-2020-9493

Brian Adeloye (Inactive) made changes - 17/Jun/2022 8:20 PM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Brian Adeloye (Inactive) made changes - 17/Jun/2022 7:49 PM

Description

Original: The version of {{log4j}} used by Crowd has been updated from version *1.2.7-atlassian-3* to *1.2.7-atlassian-16* to address the following vulnerabilities:

[CVE-2021-4104|https://www.cve.org/CVERecord?id=CVE-2021-4104]
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has [remediated this vulnerability by preventing external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of {{log4j}}.

[CVE-2020-9493|https://www.cve.org/CVERecord?id=CVE-2020-9493] and [CVE-2022-23307|https://www.cve.org/CVERecord?id=CVE-2022-23307]
Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23302|https://www.cve.org/CVERecord?id=CVE-2022-23302]
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23305|https://www.cve.org/CVERecord?id=CVE-2022-23305]
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}.

Affected versions of Crowd:
* Versions < 5.0.0

Fixed versions of Crowd:
* Versions >= 5.0.0

New: The version of {{log4j}} used by Crowd has been updated from version *1.2.7-atlassian-3* to *1.2.7-atlassian-16* to address the following vulnerabilities:

[CVE-2021-4104|https://www.cve.org/CVERecord?id=CVE-2021-4104]
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has [remediated this vulnerability by preventing external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of {{{}log4j{}}}.

[CVE-2020-9493|https://www.cve.org/CVERecord?id=CVE-2020-9493] and [CVE-2022-23307|https://www.cve.org/CVERecord?id=CVE-2022-23307]
Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23302|https://www.cve.org/CVERecord?id=CVE-2022-23302]
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23305|https://www.cve.org/CVERecord?id=CVE-2022-23305]
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Crowd. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}.

Affected versions of Crowd:
* Versions < 5.0.0

Fixed versions of Crowd:
* Versions >= 5.0.0

Brian Adeloye (Inactive) made changes - 17/Jun/2022 7:46 PM

Summary

Original: An Atlassian product has a security vulnerability.

New: Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

Brian Adeloye (Inactive) made changes - 17/Jun/2022 7:46 PM

Labels

Original: advisory advisory-to-release dont-import security 🔢✅

New: CVE-2020-9493 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 advisory advisory-to-release dont-import security 🔢✅

Brian Adeloye (Inactive) made changes - 17/Jun/2022 7:45 PM

Description

Original:
This vulnerability affects certain versions of Atlassian Crowd. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: The version of {{log4j}} used by Crowd has been updated from version *1.2.7-atlassian-3* to *1.2.7-atlassian-16* to address the following vulnerabilities:

[CVE-2021-4104|https://www.cve.org/CVERecord?id=CVE-2021-4104]
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has [remediated this vulnerability by preventing external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of {{log4j}}.

[CVE-2020-9493|https://www.cve.org/CVERecord?id=CVE-2020-9493] and [CVE-2022-23307|https://www.cve.org/CVERecord?id=CVE-2022-23307]
Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23302|https://www.cve.org/CVERecord?id=CVE-2022-23302]
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23305|https://www.cve.org/CVERecord?id=CVE-2022-23305]
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}.

Affected versions of Crowd:
* Versions < 5.0.0

Fixed versions of Crowd:
* Versions >= 5.0.0

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 18/May/2022 8:53 AM

Updated:: 09/Nov/2022 7:42 PM

Resolved:: 17/Jun/2022 8:20 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates