21 May 2019

Security Issues for Crowd Server and Crowd Data Center

by GLiNTECH

Atlassian has announced that Crowd Server and Crowd Data Center, might be at risk after a series of security issues were detected. Below you will find information on each of the security issues identified by Atlassian, as well as confirmation as to whether or not you and your versions are affected.

Summary of Vulnerability

Atlassian disclosed a critical severity security vulnerability which was introduced in version 2.1.0 of Crowd and Crowd Data Center. Versions of Crowd and Crowd Data Center starting with these versions are affected:

2.1.0 before 3.0.5 (the fixed version for 3.0.x),
from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and
from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x).

Atlassian advises customers to upgrade your Crowd or Crowd Data Center installations immediately to fix this vulnerability.

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Atlassian's suggested Fix

We have taken the following steps to address this issue:

Released Crowd and Crowd Data Center version 3.4.4 that contains a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download
Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 that contain a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download-archive

What Atlassian advises you to do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download Center.

Upgrade Crowd to version 3.4.4 or higher.

If you cannot upgrade Crowd to version 3.4.4 or higher

If you are running version	then upgrade to bugfix version
2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.8.8, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4	3.0.5
3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5	3.1.6
3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7	3.2.8
3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4	3.3.5

If you can not upgrade immediately, then Atlassian advises the following steps to mitigate risk

This issue can be mitigated by doing the following:

Stop Crowd
Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
Start Crowd
Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.

The following bash script can be used to apply the above mitigation on Linux systems:

#!/bin/bash
set -u
 
INSTALLATION_DIRECTORY= # set this to where crowd is installed
DATA_DIRECTORY= # set this to the crowd data directory
 
if [ -z "$INSTALLATION_DIRECTORY" ]
then
    echo "Please set INSTALLATION_DIRECTORY"
    exit 1
fi
 
if [ -z "$DATA_DIRECTORY" ]
then
    echo "Please set DATA_DIRECTORY"
    exit 1
fi
 
if test -f $DATA_DIRECTORY; then
    echo "Please check that DATA_DIRECTORY is correct."
    exit 1
fi
 
 
if test -f $INSTALLATION_DIRECTORY/stop_crowd.sh; then
    echo "Stopping Crowd"
    $INSTALLATION_DIRECTORY/stop_crowd.sh > /dev/null
    find $INSTALLATION_DIRECTORY -iname 'atlassian-bundled-plugins.zip' -exec zip -d {}  'pdkinstall-plugin-*.jar' \;
    # You should see something like deleting: pdkinstall-plugin-0.4.jar after the above find command has run
 
    find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec rm {} \;
    echo "Starting Crowd"
    if test -f $INSTALLATION_DIRECTORY/start_crowd.sh; then
        $INSTALLATION_DIRECTORY/start_crowd.sh
        sleep 60
        find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec "Failed to apply the mitigation - {} still exists" \;
    else
        echo "Failed to start crowd"
    fi
else
    echo "Unable to stop crowd, please ensure that you have specified the correct installation directory."
fi

Don't forget to reach out to the GLiNTECH team if you have any questions or concerns about your own Atlassian software.

GLiNTECH are experts in Atlassian upgrades.

Contact our consultants to get help.