Security Advisory FAQ - Crowd Server and Data Center 2019-05-22

Recently a new critical severity security advisory was released which affects a number of instances running Crowd Server and Crowd Data Center: Crowd Security Advisory 2019-05-22. Our aim is to provide some guidance on what to do to fix and workaround this vulnerability.

What is the CVE?

The security vulnerability Atlassian disclosed in May 22nd 2019 is of Critical Severity. You can read some examples and description on the potential impact of this vulnerability here: Severity Levels for Security Issues. Most of our current Crowd versions are affected you can check the full list of affected versions directly into the CVE page. Here is a representation of the affected versions:

• 2.1.0 <= version < 3.0.5
• 3.1.0 <= version < 3.1.6
• 3.2.0 <= version < 3.2.8
• 3.3.0 <= version < 3.3.5
• 3.4.0 <= version < 3.4.4

For more details on the CVE and full list of affected versions, check here:

• Crowd Security Advisory 2019-05-22

• Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580

This vulnerability allows attackers to send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.

Which versions have the fix?

The following versions include a fix for this:

• 3.0.5

• 3.1.6

• 3.2.8

• 3.3.5

• 3.4.4

Upgrading to these versions will fix the vulnerability. Upgrading is the ideal, long-term solution. However, not every instance can be easily upgraded and might need to follow the workaround.

Is there a workaround?

Yes. Removing the pdkinstall-plugin will mitigate the issue. This plugin is for development testing and release versions had this plugin incorrectly enabled, so this will not affect any Crowd functionality.

Here is how to disable this plugin:

1. Stop Crowd

2. Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory

3. Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip

4. Start Crowd

5. Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.

What is the quickest way to resolve this?

Right now, the workaround is the easier way out of this CVE. Crowd upgrades can be tricky for anyone. As much as we need to take customers out of this, upgrading requires:

• Planning

• Test instances

• Downtime

• Backups

• Approval

What is the impact of disabling the pdkinstall-plugin for my Instance?

Should be none. This plugin was never intended to reach release and provides no vital functionality to Crowd.

For anyone worried, you can rest assured that this workaround will not affect any core functionality of Crowd, since this is a plugin used for testing when developing Crowd.

What if I was not notified of this?

Take a look at this link:

Marketing email preferences

There you should be able to subscribe to the Security Advisories for your own specific products.

Is the Cloud platform affected by this?

No. If you are on Cloud there is no need to worry about this CVE.

 

Asking questions and replying

To streamline the process and make sure everyone is seen when asking for help, we locked the replies here. You can go ahead and ask the Community a question so your request is not lost:

Ask a question - Atlassian Community