Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered In Atlassian Crowd

Posted by timothy on from the your-gate-is-up dept.

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

3 of 133 comments (clear)

  1. Huh? by TubeSteak · · Score: 5, Interesting

    What is Atlassian Crowd, where is it used, how does this effect me, why should I care?
    Did I miss any important questions?

    --
    [Fuck Beta]
    o0t!
  2. Not surprising by _merlin · · Score: 5, Interesting

    Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

    1. Re:Not surprising by CrankyFool · · Score: 4, Interesting

      It may be a factor of whether you're talking as a user or as an administrator.

      I can't speak authoritatively to JIRA as a product I'm responsible for -- I never owned a JIRA installation (well, not one with significant volume) -- but I use JIRA, and we use JIRA here, for a whole crapton of things from change tickets to production emergency handling, to task handling, to all development tasks. As a software engineer, and a software engineering manager, I love it -- and so do most of the other users we have here.

      It helps that we think of this kind of stuff as something you should actually invest in, and we have someone who probably has about 50% of his time dedicated to making JIRA run and making it work better for us. I've always found that bug/defect/issue/task tracking systems are better, and make their users happier, when they have a champion who's allowed to invest real resources in their care and feeding.