You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
Recently a new critical severity security advisory was released which affects a number of instances running Crowd Server and Crowd Data Center: Crowd Security Advisory 2019-05-22. Our aim is to provide some guidance on what to do to fix and workaround this vulnerability.
The security vulnerability Atlassian disclosed in May 22nd 2019 is of Critical Severity. You can read some examples and description on the potential impact of this vulnerability here: Severity Levels for Security Issues. Most of our current Crowd versions are affected you can check the full list of affected versions directly into the CVE page. Here is a representation of the affected versions:
For more details on the CVE and full list of affected versions, check here:
Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580
This vulnerability allows attackers to send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
The following versions include a fix for this:
Upgrading to these versions will fix the vulnerability. Upgrading is the ideal, long-term solution. However, not every instance can be easily upgraded and might need to follow the workaround.
Yes. Removing the pdkinstall-plugin will mitigate the issue. This plugin is for development testing and release versions had this plugin incorrectly enabled, so this will not affect any Crowd functionality.
Here is how to disable this plugin:
Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory
Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.
Right now, the workaround is the easier way out of this CVE. Crowd upgrades can be tricky for anyone. As much as we need to take customers out of this, upgrading requires:
Should be none. This plugin was never intended to reach release and provides no vital functionality to Crowd.
For anyone worried, you can rest assured that this workaround will not affect any core functionality of Crowd, since this is a plugin used for testing when developing Crowd.
Take a look at this link:
There you should be able to subscribe to the Security Advisories for your own specific products.
No. If you are on Cloud there is no need to worry about this CVE.
To streamline the process and make sure everyone is seen when asking for help, we locked the replies here. You can go ahead and ask the Community a question so your request is not lost:
332 accepted answers