lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAYo3Bst7TT1GcxEmEwe8gcXFMBqXzmPxVWfdt=ustgsuC7HTg@mail.gmail.com>
Date: Fri, 9 Feb 2018 12:12:39 +1100
From: David Black <dblack@...assian.com>
To: bugtraq@...urityfocus.com
Subject: Advisory - Fisheye and Crucible - CVE-2017-16861

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/iPQyO and
https://confluence.atlassian.com/x/h-QyO .


CVE ID:

* CVE-2017-16861.


Product: Fisheye and Crucible.

Affected Fisheye and Crucible product versions:

version < 4.4.5
4.5.0 <= version < 4.5.2


Fixed Fisheye and Crucible product versions:

* for 4.5.x, Fisheye 4.5.2 has been released with a fix for this issue.
* for 4.5.x, Crucible 4.5.2 has been released with a fix for this issue.
* for 4.4.x, Fisheye 4.4.5 has been released with a fix for this issue.
* for 4.4.x, Crucible 4.4.5 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability in Fisheye
and Crucible.
Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x)
and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this
vulnerability.



Customers who have upgraded their Fisheye and Crucible installations to
version 4.4.5 or 4.5.2 are not affected.

Customers who have downloaded and installed Fisheye or Crucible less than 4.4.5
(the fixed version for 4.4.x) or who have downloaded and installed Fisheye or
Crucible >= 4.5.0 but
less than 4.5.2 (the fixed version for 4.5.x) please upgrade your Fisheye and
Crucible installations immediately to fix this vulnerability.


Remote code execution through OGNL double evaluation (CVE-2017-16861)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

It was possible for double OGNL evaluation in certain redirect action and in
WebWork URL and Anchor tags in JSP files to occur. An attacker who can access
the web interface of Fisheye or Crucible or who hosts a website that a user
who can access the web interface of Fisheye or Crucible visits, is able to
exploit this vulnerability to execute Java code of their choice on systems
 that run a vulnerable version of Fisheye or Crucible.
Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x)
and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by
this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/FE-6991 .


Fix:

To address this issue, we've released the following versions containing a fix:

* Fisheye version 4.5.2
* Fisheye version 4.4.5
* Crucible version 4.5.2
* Crucible version 4.4.5


Remediation:

Upgrade Fisheye and Crucible to version 4.5.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Fisheye or Crucible 4.4.x and cannot upgrade to 4.5.2,
upgrade to version 4.4.5.


For a full description of the latest version of Fisheye, see
the release notes found at
https://confluence.atlassian.com/display/FISHEYE/Fisheye+releases. You can
download the latest version of Fisheye from the download centre found at
https://www.atlassian.com/software/fisheye/download.


For a full description of the latest version of Crucible, see
the release notes found at
https://confluence.atlassian.com/display/CRUCIBLE/Crucible+releases. You can
download the latest version of Crucible from the download centre found at
https://www.atlassian.com/software/crucible/download.


Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJafPV0FxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagpA0P/3TVLzwWiv7wwRqnTyhkR9UucS9rz0szFH567oEWISGCXXN6uNLqzMKS
v9Eiw3xKIfeuk1kHy+QgamdVMugd4uUyUl1efDNURuAUDvbbA8BSJmQnElRU0bZ1
yLzdp6WYvc5gzV2ZvpjDi8FF9nXdQXoZWGFUzzRr9NNFmEo2KRJUkoxQNfiRnwX6
KV1koTWW7HeFVmwPNfPUL04CFPpZWrmZIwJTCnv5wojyzKW7tsegm8dIQsDVNplH
1r+KX/kpTYF2aVVEBDoqbKzKLVyYmjrKuMFw+O7CWncObYrM1y7317lVbG6/BylM
q715mR0tV4xJV8xgliRc1qd/hydcnc8DhhlV1cm1eNORX74/nLeOuWG85t8vu/Cq
5jOLnsbKaSc35iwBLNKrVEbM7mq0zzL4e7sbPqKfWmzoKoU6wwBffcbQI6AAP/pg
qtD3giHbxOJSiq9f4GczGxvnr0F2hZOhRbAg9ZzzdhvA9wZx/Bb3q1JDgG5U9vuw
puIes4ydBByoB/slTbPvg6DAutZLQ48iJITPfkzBGdXJ9ayMNJ4qSV5rV3T/94pe
VMLZ7K7RbqYFLoEXtbTPY7E5SHGLuWhcTOEJ4c/Pl7RJoj1zK8q0sagF/XB51KpR
FdA3TegZD3PrAvy970UGymrUdqoW3D6GEvFO0IXOXAT9f7Cgx/pZ
=dOdm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ