My first time to post regarding my setup. Basically I have the following set up on premise.
Upon closer inspection at my deployment, my Crowd is using Struts, and worst, it's vulnerable. I could be using perhaps Struts version 2.3.29.
It states here that Struts can be updated separately without impacting Crowd. However, upon testing, Crowd stopped working after updating struts only. So my only option is to upgrade Crowd to a non-vulnerable version.
There have been a couple of major security updates with Struts that have been released even after the advisory above, with the latest one released only a few days ago which requires me to update to the latest Struts 2.5.16.
Now, I am at a dilemma, that I may need to upgrade both Crowd as well as Struts!
I am however, hesitant to upgrade/patch as it might break or change the way my users (JIRA, Confluence, Stash) operate which I would not want to take risk at.
My question is:
Hi @Edmon Uyan,
In general I would suggest relying on the product releases with security updates. While the CWD-4879 ticket mentioned upgrading the struts library only, without upgrading Crowd itself, this was mentioned as a hot fix and may not work with other versions of Crowd and Struts (a specially with major and minor version changes).
Upgrading Crowd to the latest version should not impose any operational change for the users to adjust to. However in general we suggest checking the upgrade process on staging environment and checking features you rely on.
Hope that helps,
hi @Marcin Kempa,
Thank you for that insight.
When you mentioned current Crowd, may i know what version are you referring to?
Another thing, if I only upgrade Crowd, will the remaining apps (JIRA, Stash, Confluence) keep on working without having to upgrade them?
Hi @Edmon Uyan,
That's correct I was referring to Crowd 3.1.x (3.1.3 being the latest one at the moment)
Regarding the compatibility, there were no breaking changes in the API between Crowd and other products so to my best knowledge Crowd should work with the products versions you've mentioned. Your Stash / Bitbucket Server version is pretty old though and it reached the EOL same with Confluence, I suggest upgrading to more recent ones.
Hi @Marcin Kempa,
My team was able to upgrade crowd. As it turned out, the new setup states that the maintenance license already expired and that we are running an evaluation version. Any way to allow us to continue using the license of the original setup on this upgraded one?
Also, I am doing a penetration test and found that my Crowd is vulnerable to clickjacking. It asks me to use X-Frame-Options: SAMEORIGIN. Will try this as well and let you know of the result.
Hi @Edmon Uyan,
That's interesting as this banner should be enabled when the license is evaluation type. Can you double check the license added to this instance?
Regarding clickjacking issue, this was resolved in Crowd 2.9.1, here is the issue where we were tracking it https://jira.atlassian.com/browse/CWD-4595
Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs