Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered In Atlassian Crowd

Posted by timothy on from the your-gate-is-up dept.

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

8 of 133 comments (clear)

  1. Huh? by TubeSteak · · Score: 5, Interesting

    What is Atlassian Crowd, where is it used, how does this effect me, why should I care?
    Did I miss any important questions?

    --
    [Fuck Beta]
    o0t!
    1. Re:Huh? by Charliemopps · · Score: 4, Informative

      They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...

      I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.

    2. Re:Huh? by flyingfsck · · Score: 4, Funny

      Well, they just made sure that *anyone* can sign on. It is a very convenient feature.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  2. Not surprising by _merlin · · Score: 5, Interesting

    Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

    1. Re:Not surprising by CrankyFool · · Score: 4, Interesting

      It may be a factor of whether you're talking as a user or as an administrator.

      I can't speak authoritatively to JIRA as a product I'm responsible for -- I never owned a JIRA installation (well, not one with significant volume) -- but I use JIRA, and we use JIRA here, for a whole crapton of things from change tickets to production emergency handling, to task handling, to all development tasks. As a software engineer, and a software engineering manager, I love it -- and so do most of the other users we have here.

      It helps that we think of this kind of stuff as something you should actually invest in, and we have someone who probably has about 50% of his time dedicated to making JIRA run and making it work better for us. I've always found that bug/defect/issue/task tracking systems are better, and make their users happier, when they have a champion who's allowed to invest real resources in their care and feeding.

    2. Re:Not surprising by BitZtream · · Score: 5, Informative

      ... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

      I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  3. security alerts by manu0601 · · Score: 4, Insightful

    While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

    But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

  4. Re:The report's author are pretty convincing by Anonymous Coward · · Score: 4, Informative

    I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.

    Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.