Dear customers,
We are writing to inform you of a recently discovered security vulnerability in Atlassian FishEye and Crucible. This security vulnerability is rated as CRITICAL. To fix this vulnerability, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither JIRA Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2012-01-31.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory discloses a CRITICAL security vulnerability that we have found in versions of FishEye and Crucible from 2.0 up to and including 2.7.8. You need to upgrade your existing FishEye and Crucible installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project. Neither FishEye nor Crucible in Studio and Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*Code Injection Vulnerability*
- Severity -- Atlassian rates the severity level of this vulnerability as CRITICAL, according to the scale published in Severity Levels for Security Issues (
http://confluence.atlassian.com/display/CRUCIBLE/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, medium or low.
- Description -- We have identified and fixed a code injection vulnerability in FishEye and Crucible caused by an underlying vulnerability in the third-party Webwork 2 framework. This vulnerability allows an attacker to run arbitrary Java code on a FishEye/Crucible server with user privileges of the FishEye/Crucible process. This vulnerability is a variant of a recently disclosed Struts2 vulnerability (
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt). The vulnerability exists in pages of FishEye and Crucible accessible only by users with administrative privileges. It can be exploited with use of social engineering, e.g. by having the
administrator click on a specially crafted link. The maintainer of the original library can be contacted at
http://struts.apache.org/
- Vulnerability -- The list below describes the FishEye and Crucible versions and the specific functionality affected by the command injection vulnerability:
1) Command injection vulnerability: affects FishEye and Crucible versions 2.0 up to and including 2.7.8; fixed in versions 2.6.7 and 2.7.9. See tracking issue FE-3891 (
https://jira.atlassian.com/browse/FE-3891).
- Risk Mitigation -- We recommend that you upgrade your FishEye and Crucible installations to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to your instance of FishEye/Crucible by using a firewall.
- Fix -- FishEye and Crucible 2.6.7, 2.7.9 and later versions fix this issue. View the tracking issue above for information on fix versions. For a full description of the latest version of FishEye and Crucible, see the FishEye (
http://confluence.atlassian.com/display/FISHEYE/FishEye+Release+Notes) and Crucible (
http://confluence.atlassian.com/display/CRUCIBLE/Crucible+Release+Notes) release notes. You can download the latest versions from the FishEye (
http://www.atlassian.com/software/fisheye/FishEyeDownloadCenter.jspa) and Crucible (
http://www.atlassian.com/software/crucible/CrucibleDownloadCenter.jspa) download centres. There are no patches available for these issues.
Securely yours,
Atlassian
