Atlassian plugs XML parsing vulnerability

Denies reports of a second vuln

Internet Security Threat Report 2014

Cloud provider Atlassian has moved to patch what a security researcher describes as a backdoor in its enterprise single sign-on Crowd service.

However, the company is disputing Command Five's assertion that a second, as-yet-unpatched vulnerability remains.

Command Five's advisory states that XML DTD (document type definition) parsing gave attackers a means to “retrieve files from the target network, make HTTP requests on the target network, or carry out a Denial of Service attack.”

As the advisory explains, “XML can contain entities that are placeholders for other content”, and these could be exploited to replace a URL generated by Crowd with a path to other locations on the target network. The advisory gives various examples of possible attacks, including:

  • HTTP request relay – getting the Crowd server to perform HTTP requests against itself. Since these appear to be requests from localhost, the attacker can bypass Crowd's trusted proxy and remote address validation rules.
  • Remote file retrieval – an attacker could craft a URL providing access to any file accessible to the Crowd server.
  • Denial of service – using nested XML entities in the DTD header of a SOAP request.

As Command Five noted, Atlassian has released upgraded software that addresses these vulnerabilities. A company spokesperson told The Register “In June, we had already identified and patched the first vulnerability (which the author labeled CVE-2013-3925) in a maintenance release of Crowd.”

What remains at issue, however, is this statement at the end of the Command Five advisory:

“Command Five is aware of at least one other critical vulnerability in Atlassian Crowd (CVE-2013-3926, CVSS 10) which remains unpatched at the time of writing (version 2.6.3). The vulnerability allows unauthenticated remote parties to take full control of any Crowd server to which they are able to make a network connection.”

Atlassian denied this, telling The Register: “We've been unable to substantiate the existence of the second alleged vulnerability, designated CVE-2013-3926. The author of the report has not contacted Atlassian, making it difficult to validate the claim.

“While we've been unable to confirm the existence of the second vulnerability, we take it seriously and have reached out to the author directly for more details. If we can confirm there is a vulnerability, a patch will be issued and all Crowd customers will be emailed details for how to update.” ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story


Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.