Backdoor Discovered In Atlassian Crowd

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

security alerts

[manu0601]

While it is nice for the persons in charge of this obscure software to be notified about a problem on Slashdot, I am not sure I would be very happy to see that generalized.

But that leads to a real question: how do you learn about vulnerabilities for the softwares you are in charge?

Re:Not surprising

[_merlin]

But then again, I don't use ghostery, don't know what it is, never heard of it, don't use it and wonder why you expect Atlassian to craft their software stack against third party software.

It's a browser plugin for blocking intrusive tracking elements in web sites. I've never had it cause trouble with any other web site besides those that intentionally require you to submit to tracking (e.g. airport wi-fi sign-on pages), but those sites will usually detect the elements being blocked and give you an upfront message about it. It's almost like Atlassian went out of their way to make their stuff not work with Ghostery.

From the tone of your post, you are just leaping at a chance for a cheap jab at Atlassian with trumped up nonsense.

From the tone of your post you are a shill who has something to gain from Atlassian sales, jumping at a chance for a cheap sales pitch with vague anecdotes.

Personally, I enjoy the Atlassian stack, find it unrivaled in feature coverage and have migrated many clients to the Atlassian stack.

Ah, right. You sell Atlassian software. Can you say "conflict of interest"?

Re:Huh?

[Drakonblayde]

There's not a single major piece of software that hasn't had security flaws at one point or another. Remember when OpenBSD's web page bragged about no remote security holes in the default install? Even they've had two, and those boys are the epitome of paranoid security freaks.

So I can forgive Atlassian to a degree, as long as they fix the damn thing, and fix it in a hurry. If your standard of 'good' software is no security holes at all, then I'm afraid you're going to have to log off and go back to playing with Lego's.

Some of Atlassian's software is easy to use, and some of it can overwhelm a user. I've ran into a few coworkers who hated Confluence, and it was because they couldn't figure out how to do what they wanted. After I showed them, the gripes mysteriously disappeared. Confluence and JIRA are good pieces of software. Not perfect, but they serve their purpose.