Recently a new critical severity security advisory was released which affects a number of instances running Crowd Server and Crowd Data Center: Crowd Security Advisory 2019-05-22. Our aim is to provide some guidance on what to do to fix and workaround this vulnerability.
The security vulnerability Atlassian disclosed in May 22nd 2019 is of Critical Severity. You can read some examples and description on the potential impact of this vulnerability here: Severity Levels for Security Issues. Most of our current Crowd versions are affected you can check the full list of affected versions directly into the CVE page. Here is a representation of the affected versions:
For more details on the CVE and full list of affected versions, check here:
This vulnerability allows attackers to send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
The following versions include a fix for this:
Upgrading to these versions will fix the vulnerability. Upgrading is the ideal, long-term solution. However, not every instance can be easily upgraded and might need to follow the workaround.
Yes. Removing the pdkinstall-plugin will mitigate the issue. This plugin is for development testing and release versions had this plugin incorrectly enabled, so this will not affect any Crowd functionality.
Here is how to disable this plugin:
Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.
Right now, the workaround is the easier way out of this CVE. Crowd upgrades can be tricky for anyone. As much as we need to take customers out of this, upgrading requires:
Should be none. This plugin was never intended to reach release and provides no vital functionality to Crowd.
For anyone worried, you can rest assured that this workaround will not affect any core functionality of Crowd, since this is a plugin used for testing when developing Crowd.
Take a look at this link:
There you should be able to subscribe to the Security Advisories for your own specific products.
No. If you are on Cloud there is no need to worry about this CVE.
To streamline the process and make sure everyone is seen when asking for help, we locked the replies here. You can go ahead and ask the Community a question so your request is not lost:
Community moderators have prevented the ability to post new comments.
Hello Community! Quick disclaimer: We are running a contest on Community (The Atlympics!) from July 23rd - August 8th of 2021. If you are interested in participating in this contest (prizes! ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events