Security Issues for Crowd Server and Crowd Data Center

Atlassian has announced that Crowd Server and Crowd Data Center, might be at risk after a series of security issues were detected. Below you will find information on each of the security issues identified by Atlassian, as well as confirmation as to whether or not you and your versions are affected.

Summary of Vulnerability

Atlassian disclosed a critical severity security vulnerability which was introduced in version 2.1.0 of Crowd and Crowd Data Center. Versions of Crowd and Crowd Data Center starting with these versions are affected:

• 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
• from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
• from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
• from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and
• from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x).

Atlassian advises customers to upgrade your Crowd or Crowd Data Center installations immediately to fix this vulnerability.

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Atlassian's suggested Fix

We have taken the following steps to address this issue:

• Released Crowd and Crowd Data Center version 3.4.4 that contains a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download
• Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 that contain a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download-archive

What Atlassian advises you to do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download Center.

Upgrade Crowd to version 3.4.4 or higher.

If you cannot upgrade Crowd to version 3.4.4 or higher

If you are running version

then upgrade to bugfix version

2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.8.8, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4

3.0.53.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.53.1.63.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.73.2.83.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.43.3.5

If you can not upgrade immediately, then Atlassian advises the following steps to mitigate risk

This issue can be mitigated by doing the following:

1. Stop Crowd
2. Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
3. Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
4. Start Crowd
5. Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.
   
   

The following bash script can be used to apply the above mitigation on Linux systems:

#!/bin/bashset -u INSTALLATION_DIRECTORY= # set this to where crowd is installedDATA_DIRECTORY= # set this to the crowd data directory if [ -z "$INSTALLATION_DIRECTORY" ]thenecho "Please set INSTALLATION_DIRECTORY"exit 1fi if [ -z "$DATA_DIRECTORY" ]thenecho "Please set DATA_DIRECTORY"exit 1fi if test -f $DATA_DIRECTORY; thenecho "Please check that DATA_DIRECTORY is correct."exit 1fi  if test -f $INSTALLATION_DIRECTORY/stop_crowd.sh; thenecho "Stopping Crowd"$INSTALLATION_DIRECTORY/stop_crowd.sh > /dev/nullfind $INSTALLATION_DIRECTORY -iname 'atlassian-bundled-plugins.zip' -exec zip -d {} 'pdkinstall-plugin-*.jar' \;# You should see something like deleting: pdkinstall-plugin-0.4.jar after the above find command has run find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec rm {} \;echo "Starting Crowd"if test -f $INSTALLATION_DIRECTORY/start_crowd.sh; then$INSTALLATION_DIRECTORY/start_crowd.shsleep 60find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec "Failed to apply the mitigation - {} still exists" \;elseecho "Failed to start crowd"fielseecho "Unable to stop crowd, please ensure that you have specified the correct installation directory."fi

Don't forget to reach out to the GLiNTECH team if you have any questions or concerns about your own Atlassian software.