FishEye 2.5 : FishEye Security Advisory 2010-06-16
This page last changed on Jun 16, 2010 by edawson.
In this advisory: Remote Code Exploit VulnerabilitySeverityAtlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a remote code exploit vulnerability which affects FishEye and Crucible instances. VulnerabilityThis vulnerability allows a motivated attacker to call remote code on the host server. All versions of FishEye/Crucible up to version 2.3.2 are affected by this vulnerability.
This vulnerability has been discovered in XWork by OpenSymphony, a command pattern framework which is used by FishEye and Crucible. About the XWork Framework:
Risk MitigationWe strongly recommend either upgrading or patching your FishEye/Crucible installation to fix this vulnerability. Please see the 'Fix' section below. FixThese issues have been fixed in FishEye 2.3.3 (see the changelog), which you can download from the download centre. It has also been fixed in Crucible 2.3.3 (see the changelog), which you can download from the download centre. Later versions will include protection from this vulnerability. This fix is also provided as a patch for FishEye/Crucible 2.3.2 and 2.2.3, which you can download from links on this page. Customers on earlier point versions of FishEye/Crucible will have to upgrade to version 2.3.2 or 2.2.3 before applying the patch. Atlassian recommends you upgrade to FishEye/Crucible 2.3.3. Download Patches for Earlier FishEye / Crucible Versions
Please note that these patches are for specific point versions of FishEye (2.3.2 and 2.2.3). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. Atlassian strongly recommends that you upgrade to FishEye 2.3.3 / Crucible 2.3.3 or later. MD5 checksums are provided to allow verification of the downloaded files. Patch for FishEye / Crucible 2.3.2
Patch for FishEye / Crucible 2.2.3
Our thanks to Meder Kydyraliev of the Google Security Team who discovered this vulnerability. Atlassian fully supports the reporting of vulnerabilities and appreciates it when people work with Atlassian to identify and solve the problem. |
![]() |
Document generated by Confluence on Apr 03, 2011 23:09 |