Forgot your password?
typodupeerror
Security Businesses

Backdoor Discovered In Atlassian Crowd 133

Posted by timothy
from the your-gate-is-up dept.
An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."
This discussion has been archived. No new comments can be posted.

Backdoor Discovered In Atlassian Crowd

Comments Filter:
  • Huh? (Score:5, Interesting)

    by TubeSteak (669689) on Sunday June 30, 2013 @08:19PM (#44149877) Journal

    What is Atlassian Crowd, where is it used, how does this effect me, why should I care?
    Did I miss any important questions?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Here comes the aeroplane spoon... open up the hangar!

      From the first page of the advisory:
      "Atlassian Crowd is marketed as a secure single signon (SSO) product for the enterprise and is designed to be incorporated into third party applications and systems"

    • No, you got the important ones. I was wondering the exact same thing myself. Even googled about it, but saw nothing informative outside of their website, which would only slightly answer the first part.

      So, what are your plans for the upcoming holiday? We are going to have a cookout with friends. Hope you enjoy whatever you have planned. Bye.

      (That part added to give this /. story some meaning in our lives.)

      • Aww, you are so nice, when you come this way, please do drop in for a camel roast.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?

      • Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?

        Atlassian's most famous product is Jira, which is pretty commonly used in large-scale businesses. Large-scale businesses are also more likely to use SSO, since it's less trouble than maintaining dozens of app-specific login subsystems.

        So the net result is effectively that the login ID is "sa" and the password is blank and everyone from the NSA to the Brothers of the Islamic Revolution of Upper West Turdistan, the New Reform Church of Neo-Communist Mao-fu-tze, the haXors Anymous 7EEt, the 57th-Street Beagle

    • Re:Huh? (Score:4, Informative)

      by Luckyo (1726890) on Sunday June 30, 2013 @08:31PM (#44149961)

      It appears to be some sort of software managing logins to sites. Their site cites their clientele to be a lot of major companies, such as facebook, twitter, hulu and netflix.

      I imagine if you have a backdoor into software that manages facebook's login systems, that's pretty damn major.

      • Also Red Hat JBoss, Apache and Jenkins CI, etc. Quite a few pies, but I haven't noted many installations that use Crowd.
        • by jythie (914043)
          Most of the places that use it are closed source, it is not really designed to appeal to the OSS community. However big companies that need to appease non-technical people (like the DoD, major ISPs, utilities) will often use it. It is pretty low profile because they mostly talk with big players directly. Not really a small developer/end user product.
      • Facebook, twitter, hulu, etc probably use their ticketing system, Jira, which is what they're most well-known for. I doubt they use Crowd, which is one of their lesser-known offerings.

    • Re:Huh? (Score:4, Informative)

      by DMUTPeregrine (612791) on Sunday June 30, 2013 @08:33PM (#44149971) Journal
      Well, let's read the summary:
      "Atlassian's turnkey solution for enterprise single sign-on and secure user authentication"
      So Atlassian is some company, and it's a single sign-on/authentication system used in businesses.
      And it lets a remote attacker take control of the servers it runs on, and possibly other computers in the business (via Active Directory, which is Microsoft's system administration/management package.)
    • Re:Huh? (Score:5, Informative)

      by Charliemopps (1157495) on Sunday June 30, 2013 @08:53PM (#44150071)

      They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...

      I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.

      • Re:Huh? (Score:4, Informative)

        by Drakonblayde (871676) on Sunday June 30, 2013 @11:58PM (#44150849)

        All of the individual apps can be tied to AD (or another directory) directly. Crowd is pretty much what you use when you want single sign-on/centralized auth, but you don't want to deploy AD or go through the pain in the ass of setting up and maintaining your own LDAP server.

        I've also seen it used in large enterprises which have multiple authentication sources, the kind where systems just kind of creep, but no one wants to take the time (or risk the downtime) for consolidation. In that scenario, it's alot easier to tie the apps to Crowd for authentication, and then you just need to manage authentication sources in Crowd, instead of individually on the apps.

        Atlassian actually makes some pretty good software, and their prices are reasonable for their starter kits to get used to it. My only gripe is that it's all pretty much Tomcat based

        • My only gripe is that it's all pretty much Tomcat based

          There are worse things a J2EE-based applications to run under. Since Tomcat supports the essentials without the overhead of supporting the full stack, it has very modest resource requirements compared to, for example, WebSphere or JBoss.

          Of course, Jetty is also lightweight, but Jetty isn't as commonly used or supported these days.

          • by Anonymous Coward

            my beef with atlassian stuff is you end up running separate instances for each app yet on their own ports and if you want any kind of seamlessness you have to hide it behind an apache proxy. II don't understand why I need to run 3 tomcats and an apache for stash, jira, and confluence.

    • by Anonymous Coward

      I wish there was a place i could get these answers.

      LIKE THE FUCKING INTERNET.

    • Re:Huh? (Score:4, Funny)

      by Scarletdown (886459) on Sunday June 30, 2013 @09:08PM (#44150135) Journal

      Must be the heat playing tricks on my brain. I thought the headline said Atlassian Cloud. And that was going to be the excuse to post about a backdoor discovered in a real cloud. [photobucket.com]

    • by drinkypoo (153816)

      I had imagined it was a Japanese Cloud computing firm located in the lost city of Atlantis.

    • There's a pretty f'ing reasonable argument to be made that if you don't know, and can't be bothered to do any research, maybe you don't need to know. Certainly, I will tell you that as someone who actually uses Crowd, and has been known to configure and administer Crowd, I know what it is.

      Come on.

    • by Ol Olsoc (1175323)

      What is Atlassian Crowd, where is it used, how does this effect me, why should I care? Did I miss any important questions?

      Im' particularly dyslexic tonight - I read that as "Assassin's Creed"

    • Atlassian boasts [atlassian.com] that Crowd has more than a thousand corporate users, including the NYSE. Yes, kids, the New York Stock Exchange has internal applications that are affected by this backdoor—along with Sourceforge, Twitter, BMW, Panasonic, Netflix, Zynga...
      • ...along with ... Zynga...

        Well then, this is an appropriate product for them, the backdoor thing and all, since Zanga is a bunch of assholes...

      • by zullnero (833754)
        A lot of companies boast about their corporate users, but a whole lot of them are situations where some guy in a team downloaded an evaluation copy of a tool and had to fill out a form listing their affiliated company. Then they're perfectly in the clear if they take the best companies from their evaluation request forms and list them on a site. I wouldn't trust that marketing shpiel without verifying it with any of those companies, first...and fat chance that'll happen.

        I know full well that I'm probably
        • In Atlassian's case, usage of their products is actually about as widespread as it appears. I say this from a lot of firsthand knowledge with installing, configuring, and managing their products in a lot of environments.

          What exactly do you mean when you say "locked down server?" Unless you mean "disconnected from the Internet and/or sitting behind a NAT gateway that requires additional authentication via a VPN or other means to traverse," this sort of vulnerability doesn't depend on anything more than havin

    • by Buzer (809214)

      The terminology in article confused me as well. It's talking about "enterprise single sign-on" which actually means something different from what Crowd actually seems to provide. It's usually used to refer software that does SSO to desktop applications (well known software in that sector are like Oracle ESSO, NetIQ (formerly Novell) SecureLogin, IBM SAM ESSO (formerly IBM TAM ESSO)). Crowd, however, seems to be WebSSO+IDM [atlassian.com] solution.

  • Not surprising (Score:5, Interesting)

    by _merlin (160982) on Sunday June 30, 2013 @08:29PM (#44149949) Homepage Journal

    Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

    • by Anonymous Coward

      Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

      No shit. What's that old joke about shrink-wrapped stool samples?

      And you are informative - I never bothered to learn what sphincter JIRA came out of. Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

      Now I know Atlassian is that sphincter.

      • > Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

        Sadly, I've experienced what the AC is talking about =( I mean WTF? The consequences of running out of disk space could / should be better disclosed. (I know, I know... anyone 'worth their salt' should already know better. But still...)

        Otherwise, JIRA's not-too-shabby, especially if you're getting it for the really cheap license fe

        • by Anonymous Coward

          > Heaven forbid someone makes a mistake calculating required disk storage for JIRA - if that SuperTurd fills up its disk storage it fails spectacularly and corrupts everything.

          Sadly, I've experienced what the AC is talking about =( I mean WTF? The consequences of running out of disk space could / should be better disclosed. (I know, I know... anyone 'worth their salt' should already know better. But still...)

          Otherwise, JIRA's not-too-shabby, especially if you're getting it for the really cheap license fee...

          No.

          No product should ever respond to a failed IO operation by going batshit crazy and corrupting data willy-nilly. Because IO operations can fail for a lot of reasons.

          JIRA's a turd, plain and simple.

        • Re:Not surprising (Score:5, Informative)

          by BitZtream (692029) on Sunday June 30, 2013 @10:21PM (#44150453)

          ... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

          I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.

    • by Nyder (754090)

      Atlassian has absolute contempt for their paying customers. Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users. JIRA and Crucible use some monstrosity of JavaScript that causes lag when typing into intput fields, and certain versions clash with Ghostery in a way that causes certain characters (e.g. spaces) to be swallowed. It's sad, but it doesn't surprise me at all that they don't care about security in an authentication system.

      Actually you gave the answer why. Since they are focused on new customers, it's all about the money they can get. Fixing stuff cost money, so they don't.

      • Perhaps if they had an issue tracking system they could manage those defects and get them fixed...

        • by rvw (755107)

          Perhaps if they had an issue tracking system they could manage those defects and get them fixed...

          Well it appears you can sign in yourself. So go ahead and file a bug report!

    • Re: (Score:1, Troll)

      by l0ungeb0y (442022)

      Each release of JIRA has functionality and flexibility that people actually want removed in the name of making it easier to use for new users

      What are you talking about? I've been using JIRA for years and have worked with many companies who use JIRA and have heard no complaints about their features. They have many features and they work very well for me and others.

      Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.
      And I've ever seen any sort of lag when typing in any field in JIRA or Crucible, or Crowd or Greenhopper or Fisheye or Confluence.

      But then again, I don't

      • Re:Not surprising (Score:4, Insightful)

        by _merlin (160982) on Sunday June 30, 2013 @09:46PM (#44150299) Homepage Journal

        But then again, I don't use ghostery, don't know what it is, never heard of it, don't use it and wonder why you expect Atlassian to craft their software stack against third party software.

        It's a browser plugin for blocking intrusive tracking elements in web sites. I've never had it cause trouble with any other web site besides those that intentionally require you to submit to tracking (e.g. airport wi-fi sign-on pages), but those sites will usually detect the elements being blocked and give you an upfront message about it. It's almost like Atlassian went out of their way to make their stuff not work with Ghostery.

        From the tone of your post, you are just leaping at a chance for a cheap jab at Atlassian with trumped up nonsense.

        From the tone of your post you are a shill who has something to gain from Atlassian sales, jumping at a chance for a cheap sales pitch with vague anecdotes.

        Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.

        Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

        • by l0ungeb0y (442022) on Sunday June 30, 2013 @11:59PM (#44150851) Homepage Journal

          No, I don't sell Atlassian Software, I consult startups for a living.
          I get nothing from Atlassian, and don't put all my clients on Atlassian.
          Many of them I put on Github Enterprise.

          It depends on the client, the product, the development cycle, the team, and the roadmap.
          But hey -- don't let that stop you from making wild and baseless accusations.

        • by Drakonblayde (871676) on Monday July 01, 2013 @12:10AM (#44150881)

          Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

          You're being a dick. It's fairly obviously he does consulting work for clients, and as such, provides them with solutions to meet their requirements and improve their work flow. That's like saying that, just because I'm a network engineer whose decides to implement a Cisco solution for a customer, that I'm selling Cisco hardware.

          You're sounding like a bitter jerk.

          • by drinkypoo (153816)

            That's like saying that, just because I'm a network engineer whose decides to implement a Cisco solution for a customer, that I'm selling Cisco hardware.

            That is what you're doing. You're a middleman. You're at minimum making purchasing decisions on their behalf. And you're getting paid for doing it. You have to justify your actions, so that's what you're doing.

    • by Anonymous Coward
      JIRA helped kill our company.

      Had nothing to do with the technical stuff beyond the fact that it replaced a bunch of people who could derive metrics from database queries -- with a bunch of people who could only use webapps. But the webapp crowd was buzzword-compliant, and the middle of the pack was more than willing to go along in order to put "JIRA" on their resumes. The top devs were driven out because they weren't agile enough, or whatever the managers came up with. (The managers could understand th

    • 4 years ago when I used Atlassian products JIRA was great and worked just fine for our company. Crucible was fine too. Fisheye seemed a bit slow.

      Customer support was responsive. I don't think their other products deserve the vitriol your posting but this backdoor, if indeed put in intentionally by them, is pretty damning.

    • by Anonymous Coward

      >

      That's for the bug that the report actually discusses, not the backdoor that the report mentions but does not discuss.

  • security alerts (Score:5, Insightful)

    by manu0601 (2221348) on Sunday June 30, 2013 @09:35PM (#44150259)

    While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

    But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

    • by drinkypoo (153816)

      But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

      you read one or more risks digests (which used to be a name for a thing, dunno if it still is) as well as whatever security-related information your vendor puts out. If your vendor doesn't make reports of this sort of thing via some sort of standard vector, it's time to start shopping for a new solution.

      • by manu0601 (2221348)

        you read one or more risks digests (which used to be a name for a thing, dunno if it still is)

        That's it. And this is a painful task since you have to filter the information relevant to you.

        In this 2.0 world, it is suprising we did not managed to create some machine-parsable security alert feed (hint: XML), which could be gathered from various vendors and filtered to get the information relevant to a specific installation. In an ideal world, Nagios would get that and send me an alert when I have a pending update for a security alert

      • by manu0601 (2221348)

        you read one or more risks digests

        That's it. It is a painful task because you have to filter hat is relevant to your installation.

        In this 2.0 world, it is odd that we do not have some machine-parsable (hint: XML) format for security information. In an ideal world, I could gather that from various vendors, filter it to fit my installation, feed it to Nagios, and automatically get an alert when I have a pending update for a security alert.

  • Commercial Trash (Score:4, Interesting)

    by gweihir (88907) on Sunday June 30, 2013 @10:00PM (#44150373)

    Unless it starts to really, really hurt selling this kind of trash, not fixing _known_ vulnerabilities and not using secure coding practices, nothing will change. It is just cheaper this way and most customers do not care or cannot do anything anyways. One reason surely is managers at the customers that made this broken decision or supported it and now cannot back out without hurting themselves. Another is that absolutely nothing is going to happen to the vendor legally.

    Unless we start to require sound secure software engineering practices OR ELSE! nothing will change.

  • Today I learned about Atlassian, a company whose software I will never use.

  • The NSA has pretty much proven to me that the INTERNET is an "un-patched vulnerability..."

  • The original report says about the last vulnerability discussed (but not disclosed)

    Indicators such as covert positioning, the use of special parameters, absence of log messages, facilitation of persistence, and apparent lack of legitimate purpose suggest that this vulnerability could be classified as a symmetric backdoor if malicious intent were to be established (which it has not).

    I like the tone: they stop short of stating this is a deliberate backdoor of the worst kind, but give extremely convincing argument that it is one.

    • by Anonymous Coward on Monday July 01, 2013 @05:24AM (#44151935)

      I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.

      Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.

  • Appropriately enough, they are looking to hire a "Director of Security" in their Sydney office.

    https://www.atlassian.com/company/careers/jobs/listing?org=ATLASSIAN&cws=1&rid=688

    (Actually, Atlassian make some really good software and it would be a great place to work.)

  • Having read TFA, I don't *think* the embedded version of Crowd used for LDAP/AD authentication in JIRA since 5.x is effected by this, but it doesn't explicitly say it isn't. Anybody know for certain?

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...