Dear customers,
We are writing to inform you of newly-discovered security vulnerabilities that we have found in FishEye and Crucible and fixed in a recent version of FishEye and Crucible.
* Customers who have downloaded and installed FishEye or Crucible should upgrade their existing FishEye and Crucible installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
https://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-08-21.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security advisory ***
*Elevation of privileges vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues:
https://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability in FishEye and Crucible that results from the behavior of certain third-party frameworks used in FishEye and Crucible. This vulnerability allows any attacker to:
* set the FishEye and Crucible instance to allow anonymous access
* set the FishEye and Crucible instance to allow anonymous signup
All versions of FishEye and Crucible up to and including 2.7.14 are affected by this vulnerability. The vulnerability is fixed in FishEye and/or Crucible 2.8.0 and later. This issue can be tracked at
http://jira.atlassian.com/browse/FE-4222 and
https://jira.atlassian.com/browse/CRUC-6188.
The list below indicates the versions of FishEye and/or Crucible affected by the Elevation of Privileges vulnerability and the fixed versions:
* FishEye and/or Crucible versions 2.5.x or earlier are affected, and are fixed in 2.5.8
* FishEye and/or Crucible versions 2.6.x are affected, and are fixed in 2.6.7
* FishEye and/or Crucible versions 2.7.x are affected, and are fixed in 2.7.15 and 2.8.0
Risk Mitigation -- If you cannot upgrade immediately, you can disable all access from the public Internet to your FishEye and/or Crucible instance to prevent external attacks.
Fix -- Upgrade. The vulnerabilities and fix versions are described in the 'Vulnerability' section above. We recommend that you upgrade to the latest version of FishEye and/or Crucible, if possible. For a full description of the latest version of FishEye and Crucible, see the FishEye release notes (
https://confluence.atlassian.com/display/FISHEYE/FishEye+Release+Notes) and Crucible release notes (
https://confluence.atlassian.com/display/CRUCIBLE/Crucible+Release+Notes). You can download the latest version of FishEye and Crucible from the FishEye download center (
http://www.atlassian.com/software/fisheye/download) and Crucible download center
(
http://www.atlassian.com/software/crucible/download).
There are no patches available.
