Dear customers,
We are writing to inform you of a recently discovered security vulnerability in Atlassian FishEye and Crucible. This security vulnerability is rated as CRITICAL. To fix this vulnerability, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. Neither JIRA Studio nor Atlassian OnDemand are vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory discloses a critical security vulnerability that exists in all versions of FishEye and Crucible up to and including 2.7.11.
* Customers who have downloaded and installed FishEye or Crucible should upgrade their existing FishEye and Crucible installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com/ in the "Enterprise Hosting Support" project.
* JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*Critical XML Parsing Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues (see
http://confluence.atlassian.com/display/FISHEYE/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability in FishEye and Crucible that results from the way third-party XML parsers are used in FishEye and Crucible. This vulnerability allows an attacker to:
* execute denial of service attacks against the FishEye and Crucible server, and
* read all local files readable to the system user under which FishEye and Crucible runs.
An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability. All versions of FishEye and Crucible up to and including 2.7.11 are affected by this vulnerability. This issue can be tracked here:
https://jira.atlassian.com/browse/FE-4016
Risk Mitigation -- We recommend that you upgrade your FishEye and Crucible installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately, you should do all of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
* Disable access to the Remote, SOAP and XML-RPC APIs, if these remote APIs are not required. Note that remote API access is disabled by default. See
http://confluence.atlassian.com/display/FISHEYE/Disabling+or+Enabling+a+Plugin for instructions.
* Disable public access, such as anonymous access (see
http://confluence.atlassian.com/display/FISHEYE/Configuring+Anonymous+Access) and public signup (
http://confluence.atlassian.com/display/FISHEYE/Configuring+Public+Signup) to your FishEye or Crucible instance until you have applied the necessary upgrade.
* Ensure that your FishEye/Crucible system user is restricted as described in best practices for configuring FishEye security (
http://confluence.atlassian.com/display/FISHEYE/Best+Practices+for+Configuring+FishEye+Security).
Fix
Upgrade - Upgrade to FishEye and Crucible 2.7.12 or later, which fixes this vulnerability. For a full description of these releases, see the FishEye release notes (
http://confluence.atlassian.com/display/FISHEYE/FishEye+Release+Notes) and the Crucible release notes (
http://confluence.atlassian.com/display/CRUCIBLE/Crucible+Release+Notes). The following releases have also been made available to fix these issues in older FishEye and Crucible versions. You can download these versions from the FishEye download centre (
http://www.atlassian.com/software/fisheye/FishEyeDownloadCenter.jspa) and the Crucible download centre (
http://www.atlassian.com/software/crucible/CrucibleDownloadCenter.jspa).
* FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6.
* FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5.
Patches - There are no patches available for this vulnerability.
Securely yours,
Atlassian