<img height="1" width="1" style="display: none" src="https://www.facebook.com/tr?id=976470819114134&amp;ev=PageView&amp;noscript=1">

Security Issues for Crowd Server and Crowd Data Center




Atlassian has announced that Crowd Server and Crowd Data Center, might be at risk after a series of security issues were detected. Below you will find information on each of the security issues identified by Atlassian, as well as confirmation as to whether or not you and your versions are affected.


Summary of Vulnerability

Atlassian disclosed a critical severity security vulnerability which was introduced in version 2.1.0 of Crowd and Crowd Data Center. Versions of Crowd and Crowd Data Center starting with these versions are affected:

  • 2.1.0 before 3.0.5 (the fixed version for 3.0.x), 
  • from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), 
  • from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), 
  • from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and 
  • from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x). 


Atlassian advises customers to upgrade your Crowd or Crowd Data Center installations immediately to fix this vulnerability.


All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. 

Atlassian's suggested Fix

We have taken the following steps to address this issue:


What Atlassian advises you to do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download Center.

Upgrade Crowd to version 3.4.4 or higher.


If you cannot upgrade Crowd to version 3.4.4 or higher

If you are running version

then upgrade to bugfix version

2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.8.8, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4

3.0.5
3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5 3.1.6
3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7 3.2.8
3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4 3.3.5


If you can not upgrade immediately, then Atlassian advises the following steps to mitigate risk

This issue can be mitigated by doing the following:

  1. Stop Crowd
  2. Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
  3. Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
  4. Start Crowd
  5. Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.

The following bash script can be used to apply the above mitigation on Linux systems:

#!/bin/bash
set -u
 
INSTALLATION_DIRECTORY= # set this to where crowd is installed
DATA_DIRECTORY= # set this to the crowd data directory
 
if [ -z "$INSTALLATION_DIRECTORY" ]
then
    echo "Please set INSTALLATION_DIRECTORY"
    exit 1
fi
 
if [ -z "$DATA_DIRECTORY" ]
then
    echo "Please set DATA_DIRECTORY"
    exit 1
fi
 
if test -f $DATA_DIRECTORY; then
    echo "Please check that DATA_DIRECTORY is correct."
    exit 1
fi
 
 
if test -f $INSTALLATION_DIRECTORY/stop_crowd.sh; then
    echo "Stopping Crowd"
    $INSTALLATION_DIRECTORY/stop_crowd.sh > /dev/null
    find $INSTALLATION_DIRECTORY -iname 'atlassian-bundled-plugins.zip' -exec zip -d {}  'pdkinstall-plugin-*.jar' \;
    # You should see something like deleting: pdkinstall-plugin-0.4.jar after the above find command has run
 
    find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec rm {} \;
    echo "Starting Crowd"
    if test -f $INSTALLATION_DIRECTORY/start_crowd.sh; then
        $INSTALLATION_DIRECTORY/start_crowd.sh
        sleep 60
        find $DATA_DIRECTORY -iname 'pdkinstall-plugin*' -exec "Failed to apply the mitigation - {} still exists" \;
    else
        echo "Failed to start crowd"
    fi
else
    echo "Unable to stop crowd, please ensure that you have specified the correct installation directory."
fi


Don't forget to reach out to the GLiNTECH team if you have any questions or concerns about your own Atlassian software.