Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered In Atlassian Crowd

Posted by timothy on from the your-gate-is-up dept.

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

33 of 133 comments (clear)

  1. Huh? by TubeSteak · · Score: 5, Interesting

    What is Atlassian Crowd, where is it used, how does this effect me, why should I care?
    Did I miss any important questions?

    --
    [Fuck Beta]
    o0t!
    1. Re:Huh? by Anonymous Coward · · Score: 3, Informative

      Here comes the aeroplane spoon... open up the hangar!

      From the first page of the advisory:
      "Atlassian Crowd is marketed as a secure single signon (SSO) product for the enterprise and is designed to be incorporated into third party applications and systems"

    2. Re:Huh? by Anonymous Coward · · Score: 2, Informative

      Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?

    3. Re:Huh? by Luckyo · · Score: 3, Informative

      It appears to be some sort of software managing logins to sites. Their site cites their clientele to be a lot of major companies, such as facebook, twitter, hulu and netflix.

      I imagine if you have a backdoor into software that manages facebook's login systems, that's pretty damn major.

    4. Re:Huh? by DMUTPeregrine · · Score: 3, Informative

      Well, let's read the summary:
      "Atlassian's turnkey solution for enterprise single sign-on and secure user authentication"
      So Atlassian is some company, and it's a single sign-on/authentication system used in businesses.
      And it lets a remote attacker take control of the servers it runs on, and possibly other computers in the business (via Active Directory, which is Microsoft's system administration/management package.)

      --
      Not a sentence!
    5. Re:Huh? by Charliemopps · · Score: 4, Informative

      They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...

      I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.

    6. Re:Huh? by Scarletdown · · Score: 3, Funny

      Must be the heat playing tricks on my brain. I thought the headline said Atlassian Cloud. And that was going to be the excuse to post about a backdoor discovered in a real cloud.

      --
      This space unintentionally left blank.
    7. Re:Huh? by Drakonblayde · · Score: 3, Informative

      All of the individual apps can be tied to AD (or another directory) directly. Crowd is pretty much what you use when you want single sign-on/centralized auth, but you don't want to deploy AD or go through the pain in the ass of setting up and maintaining your own LDAP server.

      I've also seen it used in large enterprises which have multiple authentication sources, the kind where systems just kind of creep, but no one wants to take the time (or risk the downtime) for consolidation. In that scenario, it's alot easier to tie the apps to Crowd for authentication, and then you just need to manage authentication sources in Crowd, instead of individually on the apps.

      Atlassian actually makes some pretty good software, and their prices are reasonable for their starter kits to get used to it. My only gripe is that it's all pretty much Tomcat based

    8. Re:Huh? by flyingfsck · · Score: 4, Funny

      Well, they just made sure that *anyone* can sign on. It is a very convenient feature.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    9. Re:Huh? by I'm+New+Around+Here · · Score: 2

      You must have missed this part

      Even googled about it, but saw nothing informative

      In addition to the original poster and myself, I see several others posting either similar queries, or responses dismissive of this product. So don't act like I have to sign up for tech courses for this software before I comment on it.

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    10. Re:Huh? by I'm+New+Around+Here · · Score: 2

      That's "Chinese", you insensitive crod. :P

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    11. Re:Huh? by Anonymous Coward · · Score: 2, Informative

      It's some Java bug tracker software which whenever someone uses for their project you get frustrated with (and some open source does use it since it's monetarily free for them but fairly expensive normally), and a wiki that nobody but big business uses and is very slow. The SSO lets people in the java world integrate standard technologies for federated identity (so that the apps don't need to store or know the username/password of the people using them).

    12. Re: Huh? by I'm+New+Around+Here · · Score: 2

      You must have missed this part

      Even googled about it, but saw nothing informative

      Having just googled again, I still see nothing that is actually informative from the top 10 results. Most point to Atlassian's site. They have the uaual marketing blurb:

      Identity Management for Web Apps

      Finally, a single sign-on and user identity tool that's easy to use, administer, and integrate.

      Users can come from anywhere – Active Directory, LDAP, Crowd itself, or any mix thereof. Control permissions to all your applications in one place – Atlassian, Subversion, Google Apps, your own apps.

      Great! It's a way to sign into webapps. How enlightening. I have gotten a better description of it from the complaint posts below, than from searching for it in your approved way. But thank you for your concern of my inertial-challanged state.

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    13. Re:Huh? by LordLucless · · Score: 2

      Facebook, twitter, hulu, etc probably use their ticketing system, Jira, which is what they're most well-known for. I doubt they use Crowd, which is one of their lesser-known offerings.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    14. Re:Huh? by Drakonblayde · · Score: 3, Insightful

      There's not a single major piece of software that hasn't had security flaws at one point or another. Remember when OpenBSD's web page bragged about no remote security holes in the default install? Even they've had two, and those boys are the epitome of paranoid security freaks.

      So I can forgive Atlassian to a degree, as long as they fix the damn thing, and fix it in a hurry. If your standard of 'good' software is no security holes at all, then I'm afraid you're going to have to log off and go back to playing with Lego's.

      Some of Atlassian's software is easy to use, and some of it can overwhelm a user. I've ran into a few coworkers who hated Confluence, and it was because they couldn't figure out how to do what they wanted. After I showed them, the gripes mysteriously disappeared. Confluence and JIRA are good pieces of software. Not perfect, but they serve their purpose.

    15. Re: Huh? by foniksonik · · Score: 3, Interesting

      Actually you can hook Jira into Stash, which is a GIT repo server, hook that into FishEye/Crucible which is a code review portal and hooked into Jenkins, thereby creating a nearly round trip QA process.

      QA creates a ticket, developer sees ticket, creates a branch from it, commits code, gets peer review after which the code is deployed to a QA server, ticket is moved back to a QA user who has a link to the QA server (typically a unique server instance is spun up for each ticket), QA confirms - this spins down the QA server instance and a pull request is made for the production branch.

      So there you go. Automated code deployment with useful checkpoints in a workflow process.

      Don't be jealous.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
    16. Re:Huh? by sjames · · Score: 2

      Remember, single sign-on is just a strange way to spell "single point of failure".

  2. Not surprising by _merlin · · Score: 5, Interesting

    Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

    1. Re:Not surprising by Nyder · · Score: 2

      Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

      Actually you gave the answer why. Since they are focused on new customers, it's all about the money they can get. Fixing stuff cost money, so they don't.

      --
      Be seeing you...
    2. Re:Not surprising by _merlin · · Score: 3, Insightful

      But then again, I don't use ghostery, don't know what it is, never heard of it, don't use it and wonder why you expect Atlassian to craft their software stack against third party software.

      It's a browser plugin for blocking intrusive tracking elements in web sites. I've never had it cause trouble with any other web site besides those that intentionally require you to submit to tracking (e.g. airport wi-fi sign-on pages), but those sites will usually detect the elements being blocked and give you an upfront message about it. It's almost like Atlassian went out of their way to make their stuff not work with Ghostery.

      From the tone of your post, you are just leaping at a chance for a cheap jab at Atlassian with trumped up nonsense.

      From the tone of your post you are a shill who has something to gain from Atlassian sales, jumping at a chance for a cheap sales pitch with vague anecdotes.

      Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.

      Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

    3. Re:Not surprising by CrankyFool · · Score: 4, Interesting

      It may be a factor of whether you're talking as a user or as an administrator.

      I can't speak authoritatively to JIRA as a product I'm responsible for -- I never owned a JIRA installation (well, not one with significant volume) -- but I use JIRA, and we use JIRA here, for a whole crapton of things from change tickets to production emergency handling, to task handling, to all development tasks. As a software engineer, and a software engineering manager, I love it -- and so do most of the other users we have here.

      It helps that we think of this kind of stuff as something you should actually invest in, and we have someone who probably has about 50% of his time dedicated to making JIRA run and making it work better for us. I've always found that bug/defect/issue/task tracking systems are better, and make their users happier, when they have a champion who's allowed to invest real resources in their care and feeding.

    4. Re:Not surprising by Anonymous Coward · · Score: 2

      > Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

      Sadly, I've experienced what the AC is talking about =( I mean WTF? The consequences of running out of disk space could / should be better disclosed. (I know, I know... anyone 'worth their salt' should already know better. But still...)

      Otherwise, JIRA's not-too-shabby, especially if you're getting it for the really cheap license fee...

      No.

      No product should ever respond to a failed IO operation by going batshit crazy and corrupting data willy-nilly. Because IO operations can fail for a lot of reasons.

      JIRA's a turd, plain and simple.

    5. Re:Not surprising by BitZtream · · Score: 5, Informative

      ... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

      I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    6. Re:Not surprising by l0ungeb0y · · Score: 3

      No, I don't sell Atlassian Software, I consult startups for a living.
      I get nothing from Atlassian, and don't put all my clients on Atlassian.
      Many of them I put on Github Enterprise.

      It depends on the client, the product, the development cycle, the team, and the roadmap.
      But hey -- don't let that stop you from making wild and baseless accusations.

    7. Re:Not surprising by Drakonblayde · · Score: 2

      If you're virtualizing Atlassian apps, it does take a bit of work and optimization to make them play nice, which is how every install (including my own personal ones) I've ever worked on has been installed. Once they're tuned, they hold up and scale pretty well though.

    8. Re:Not surprising by Drakonblayde · · Score: 3

      Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

      You're being a dick. It's fairly obviously he does consulting work for clients, and as such, provides them with solutions to meet their requirements and improve their work flow. That's like saying that, just because I'm a network engineer whose decides to implement a Cisco solution for a customer, that I'm selling Cisco hardware.

      You're sounding like a bitter jerk.

    9. Re:Not surprising by rvw · · Score: 2

      Perhaps if they had an issue tracking system they could manage those defects and get them fixed...

      Well it appears you can sign in yourself. So go ahead and file a bug report!

  3. The bug report with included patch by miknight · · Score: 3, Informative

    https://jira.atlassian.com/browse/CWD-3366

  4. security alerts by manu0601 · · Score: 4, Insightful

    While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

    But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

  5. Commercial Trash by gweihir · · Score: 3, Interesting

    Unless it starts to really, really hurt selling this kind of trash, not fixing _known_ vulnerabilities and not using secure coding practices, nothing will change. It is just cheaper this way and most customers do not care or cannot do anything anyways. One reason surely is managers at the customers that made this broken decision or supported it and now cannot back out without hurting themselves. Another is that absolutely nothing is going to happen to the vendor legally.

    Unless we start to require sound secure software engineering practices OR ELSE! nothing will change.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Thanks! by Narcocide · · Score: 2

    Today I learned about Atlassian, a company whose software I will never use.

  7. Re:Atlassian Slow as Molasses by Drakonblayde · · Score: 2

    Confluence works fine, but you have to be willing to throw the right hardware at it, or be willing to tune it. Something like Doku or Mediawiki is alot less resource intensive, but Confluence is, in a nutshell, a java app, and you need to treat it accordingly. Once tuned and scaled properly, it works just as well as any other wiki, and I personally find formatting for it to be alot easier, as well as the actual management of it.

  8. Re:The report's author are pretty convincing by Anonymous Coward · · Score: 4, Informative

    I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.

    Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.