Dear customers,
We are writing to inform you of several recently discovered security vulnerabilities in Atlassian FishEye/Crucible. Two of these security vulnerabilities are rated as high; two are rated as medium. None are rated critical. To fix these vulnerabilities, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither JIRA Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-11-22.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory announces a number of security vulnerabilities that we have found and fixed in versions of FishEye/Crucible earlier than 2.5.7. You need to upgrade your existing FishEye and Crucible installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project. Neither JIRA Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*XSS Vulnerabilities*
Severity -- Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in
http://confluence.atlassian.com/display/FISHEYE/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical.
Risk Assessment -- We have identified and fixed a number of stored cross-site scripting (XSS) vulnerabilities which affect FishEye/Crucible instances, including publicly available instances (that is, internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attacks on
https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_scripting, at
http://projects.webappsec.org/Cross-Site+Scripting and other places on the web.
Vulnerabilities -- The list below describes the FishEye/Crucible versions and the specific functionality affected by the XSS vulnerabilities.
1) Vulnerability in FishEye user profile - display name: affects FishEye/Crucible 2.5.4 and earlier; fixed in FishEye/Crucible 2.5.5. See tracking issue
http://jira.atlassian.com/browse/FE-3797.
2) Vulnerability in FishEye user profile - snippets in a user's comment: affects FishEye/Crucible 2.5.4 and earlier; fixed in FishEye/Crucible 2.5.5. See tracking issue
http://jira.atlassian.com/browse/FE-3798.
Risk Mitigation -- We recommend that you upgrade your FishEye/Crucible installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your instance as a temporary mitigation until you have applied the upgrade. For tighter access control, you can restrict access to trusted groups.
Fix -- FishEye/Crucible 2.5.5 and later versions fix two of these issues. View the issues linked above for information on fix versions. You can download the latest versions of FishEye and Crucible from the download centre (FishEye:
http://www.atlassian.com/software/fisheye/FishEyeDownloadCenter.jspa; Crucible:
http://www.atlassian.com/software/crucible/CrucibleDownloadCenter.jspa). There are no patches available to fix these vulnerabilities. You must upgrade your FishEye/Crucible installation.
*Permission Verification Vulnerabilities*
Severity -- Atlassian rates the severity level of these vulnerabilities as medium, according to the scale published in
http://confluence.atlassian.com/display/FISHEYE/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical.
Risk Assessment -- We have identified and fixed two permission verification bugs which affect FishEye/Crucible instances, including publicly available instances (that is, internet-facing servers). These vulnerabilities allow users to view metadata for changesets and reviews, from repositories/projects that they do not have access to, via tooltips.
Vulnerability -- The list below describes the FishEye/Crucible versions and the specific functionality affected by the vulnerabilities.
1) Vulnerability in FishEye changeset tooltips: affects FishEye 2.4.6 to 2.5.6; fixed in FishEye 2.5.7. See tracking issue
http://jira.atlassian.com/browse/FE-3811.
2) Vulnerability in Crucible review tooltips: affects Crucible 2.4.6 to 2.5.6; fixed in Crucible 2.5.7. See tracking issue
http://jira.atlassian.com/browse/CRUC-5811.
Risk Mitigation -- We recommend that you upgrade your FishEye/Crucible installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable anonymous access to your instance. Logged-in users will still be able to view metadata that they do not have permission to view, but anonymous users will be prevented from accessing this information.
Fix -- FishEye and Crucible 2.5.7 and later versions fix these two issues. View the issues linked above for information on earlier fix versions for each issue. For a full description of this release, see the FishEye 2.5 changelog (
http://confluence.atlassian.com/display/FISHEYE/Fisheye+2.5+Changelog) and Crucible 2.5 Changelog (
http://confluence.atlassian.com/display/CRUCIBLE/Crucible+2.5+Changelog). You can download the latest version of FishEye and Crucible from the download centres (FishEye:
http://www.atlassian.com/software/fisheye/FishEyeDownloadCenter.jspa; Crucible:
http://www.atlassian.com/software/crucible/CrucibleDownloadCenter.jspa). There are no patches available to fix these
vulnerabilities. You must upgrade your FishEye/Crucible installation.
Securely yours,
Atlassian
