Atlassian has removed critical security vulnerability in it's products Confluence, Bamboo, FishEye & Crucible and Crowd and has communicated a security advisory on May 21, 2014. We highly recommend to our customers to update their instances to the latest version, in order to avoid these risks.
Confluence: ClassLoader-Manipulation
The vulnerability was regarding an Xwork library which is also part of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.
The vulnerability is critical and affects all versions of Confluence up to and including Confluence 5.5.
Confluence 5.5.1 is not vulnerable.
More infos in Atlassian's security advisory
Bamboo: ClassLoader-Manipulation
There is also a vulnerability in Bamboo based on Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Bamboo web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.
The vulnerability is critical and affects all versions of Bamboo up to and including 5.5.
Bamboo 5.6 is not vulnerable.
More infos in Atlassian's security advisory.
Crowd: ClassLoader-Manipulation
In Crowd the vulnerability is also based on Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.
We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Crowd.
The vulnerability affects all versions of Crowd earlier than and and including 2.7.
Crowd 2.5.7, 2.6.7, 2.7.2 are not vulnerable.
More infos in Atlassian's security advisory.
FishEye und Crucible: Reset of the Admin password
An unauthenticated user is able to set the admin password of FishEye or Crucible to any value, gaining admin access to the FishEye or Crucible instance as a result.
The vulnerability is critical and affects FishEye version 3.x. Versions earlier than 3.0 are not vulnerable.
The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.
More infos in Atlassian's security advisory: FishEye, Crucible
Better Updates than Patches
Atlassian has provided patches as part of the end of life policy supported product versions, which will fix the vulnerabilities described above. However, regular product updates are highly recommended over product update patches, since these are merely interim solutions. They may bridge the gap until the next update, but cannot replace an update.
Patched systems will eventually lead to problems, since patches are often times not cumulative. It is thus not recommendable, to install patches from different security advisories on top of each other, and instead update the the latest versions regularly. As a customer with a current support contract, you are eligible to free updates.
If you have questions about these security advisories and/or need help with an update? Please contact us - we gladly advise you for free regarding licensing and updates. You can reach our experts on Atlassian licenses at +1 (619) 793-4456