Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description
This issue has been assigned CVE-2013-3925 by Mitre Corporation.
Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).

h3. Scope
An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.

h3. Fix
Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.

h3. Workaround
For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See [here|https://confluence.atlassian.com/pages/viewpage.action?pageId=376836952] for instructions for how to apply the patch.

If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to {{/crowd/services}}.

h3. Patching Instructions moved up here from comment as comment is collapsed.
h3. Patch instructions
As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the {{xfire-servlet.xml}} file in the {{crowd-server}} jar.

h4. Patching
The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See {{xfire-servlet.xml}} attached to this issue.

For example, for Crowd 2.4.2:
{noformat}
zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml
{noformat}

Or you can simply copy the attached [xfire-servlet.xml|https://jira.atlassian.com/secure/attachment/94422/xfire-servlet.xml] to {{crowd-webapp/WEB-INF/classes}}, followed by a Crowd restart.

h4. Older versions
With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all {{urlMap}} entries other than the first {{key=“/*”}} entry:

{code:lang=none}
<bean class=“org.springframework.web.servlet.handler.SimpleUrlHandlerMapping”>
<property name=“urlMap”>
<map>
<entry key=“/*” value-ref=“securityServerService”/>

•            <entry key="/1/*" value-ref="securityServerService"/>
  

•            <entry key="/2/*" value-ref="securityServerService2"/>
  

•            <entry key="/latest/*" value-ref="securityServerService2"/>
         </map>
     </property>
  

  </bean>
  {code}

{panel}
We have documented a security notice regarding this matter at - [Crowd Security Notice 2013-07-01|https://confluence.atlassian.com/display/CROWD/Crowd+Security+Notice+2013-07-01]
{panel}