-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/iPQyO and https://confluence.atlassian.com/x/h-QyO . CVE ID: * CVE-2017-16861. Product: Fisheye and Crucible. Affected Fisheye and Crucible product versions: version < 4.4.5 4.5.0 <= version < 4.5.2 Fixed Fisheye and Crucible product versions: * for 4.5.x, Fisheye 4.5.2 has been released with a fix for this issue. * for 4.5.x, Crucible 4.5.2 has been released with a fix for this issue. * for 4.4.x, Fisheye 4.4.5 has been released with a fix for this issue. * for 4.4.x, Crucible 4.4.5 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability in Fisheye and Crucible. Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability. Customers who have upgraded their Fisheye and Crucible installations to version 4.4.5 or 4.5.2 are not affected. Customers who have downloaded and installed Fisheye or Crucible less than 4.4.5 (the fixed version for 4.4.x) or who have downloaded and installed Fisheye or Crucible >= 4.5.0 but less than 4.5.2 (the fixed version for 4.5.x) please upgrade your Fisheye and Crucible installations immediately to fix this vulnerability. Remote code execution through OGNL double evaluation (CVE-2017-16861) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/FE-6991 . Fix: To address this issue, we've released the following versions containing a fix: * Fisheye version 4.5.2 * Fisheye version 4.4.5 * Crucible version 4.5.2 * Crucible version 4.4.5 Remediation: Upgrade Fisheye and Crucible to version 4.5.2 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Fisheye or Crucible 4.4.x and cannot upgrade to 4.5.2, upgrade to version 4.4.5. For a full description of the latest version of Fisheye, see the release notes found at https://confluence.atlassian.com/display/FISHEYE/Fisheye+releases. You can download the latest version of Fisheye from the download centre found at https://www.atlassian.com/software/fisheye/download. For a full description of the latest version of Crucible, see the release notes found at https://confluence.atlassian.com/display/CRUCIBLE/Crucible+releases. You can download the latest version of Crucible from the download centre found at https://www.atlassian.com/software/crucible/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJafPV0FxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 UnagpA0P/3TVLzwWiv7wwRqnTyhkR9UucS9rz0szFH567oEWISGCXXN6uNLqzMKS v9Eiw3xKIfeuk1kHy+QgamdVMugd4uUyUl1efDNURuAUDvbbA8BSJmQnElRU0bZ1 yLzdp6WYvc5gzV2ZvpjDi8FF9nXdQXoZWGFUzzRr9NNFmEo2KRJUkoxQNfiRnwX6 KV1koTWW7HeFVmwPNfPUL04CFPpZWrmZIwJTCnv5wojyzKW7tsegm8dIQsDVNplH 1r+KX/kpTYF2aVVEBDoqbKzKLVyYmjrKuMFw+O7CWncObYrM1y7317lVbG6/BylM q715mR0tV4xJV8xgliRc1qd/hydcnc8DhhlV1cm1eNORX74/nLeOuWG85t8vu/Cq 5jOLnsbKaSc35iwBLNKrVEbM7mq0zzL4e7sbPqKfWmzoKoU6wwBffcbQI6AAP/pg qtD3giHbxOJSiq9f4GczGxvnr0F2hZOhRbAg9ZzzdhvA9wZx/Bb3q1JDgG5U9vuw puIes4ydBByoB/slTbPvg6DAutZLQ48iJITPfkzBGdXJ9ayMNJ4qSV5rV3T/94pe VMLZ7K7RbqYFLoEXtbTPY7E5SHGLuWhcTOEJ4c/Pl7RJoj1zK8q0sagF/XB51KpR FdA3TegZD3PrAvy970UGymrUdqoW3D6GEvFO0IXOXAT9f7Cgx/pZ =dOdm -----END PGP SIGNATURE-----