[server-admins] [Fwd: JIRA Security Advisory for Public-facing JIRA instances]
DM Smith
dmsmith at crosswire.org
Fri Apr 16 11:22:22 MST 2010
I got notification from Jira of the security problem that we need to
take care of.
This problem only affects admins. For the time being I'm revoking all
admin access except for me. If you need admin access before then contact
me and we'll work something out. (These are chrisburrel, chrislit, joe,
mdbergmann, niccarter, scribe)
Here's a summary:
The cross-site scripting attack is done by someone creating a Jira
account and adding a url to an issue (in the case of Apache, this was
hidden as a tiny url). A logged in admin of Jira, if they click on that
url would give away their admin access.
Once admin access has been compromise, all the passwords in Jira are at
risk.
The obvious problem is that people, including myself, reuse passwords.
In the case of Apache, one admin also had root access and used the same
password for both. Big oops.
There are some things we can do:
a) Update Jira. (Takes time and something needs to be done in the interim.)
b) Revoke admin access until the update. (If there is no access, there
is no risk. But contact me if that hampers you.)
c) Educate admins. (Hopefully this is sufficient. If not Apache has a
full write up of the problem as it happened to them.)
d) Monitor all issues in Jira. (I'm going to turn on mail to me for all
issue changes.)
e) Require approval of all new accounts. (I'm not going to do this. The
daily number of changes is low and easy to monitor.)
In Him,
DM
More information about the server-admins
mailing list