Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered In Atlassian Crowd

Posted by timothy on from the your-gate-is-up dept.

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

3 of 133 comments (clear)

  1. Re:Huh? by Charliemopps · · Score: 4, Informative

    They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...

    I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.

  2. Re:Not surprising by BitZtream · · Score: 5, Informative

    ... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

    I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  3. Re:The report's author are pretty convincing by Anonymous Coward · · Score: 4, Informative

    I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.

    Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.