This is a very serious remote exploitation of the Crowd service, looks like version 2.6.3 is the only fully patched and safe version.
Abstract:
This advisory examines a critical vulnerability in Atlassian Crowd a software package marketed as a turnkey solution for enterprise scale single signon and secure user authentication. The vulnerability is remotely accessible, does not require authentication, and is easily exploited. Recommendations for securing affected systems are provided and special mention is made of an unpatched weakness in the product that could be classified as a symmetric backdoor.
From the pdf, it looks like there is no patch available for versions <= 6.2.2
From my experience the time to turn-around a product upgrade is typically a lot longer than a security patch. Furthermore, the way the licensing works means that some users may not be able to upgrade; users who are out of their maintenance period need a security patch, not an upgrade.
3 comments
[ 2.7 ms ] story [ 18.7 ms ] threadAbstract:
This advisory examines a critical vulnerability in Atlassian Crowd a software package marketed as a turnkey solution for enterprise scale single signon and secure user authentication. The vulnerability is remotely accessible, does not require authentication, and is easily exploited. Recommendations for securing affected systems are provided and special mention is made of an unpatched weakness in the product that could be classified as a symmetric backdoor.
From my experience the time to turn-around a product upgrade is typically a lot longer than a security patch. Furthermore, the way the licensing works means that some users may not be able to upgrade; users who are out of their maintenance period need a security patch, not an upgrade.