Posts tagged ‘apache’

Jira at apache.org was hacked

The Apache Infrastructure Team Incident Report 04/09/2010 released today 13. April 2010 about the hack of jira.apache.org.

Thank you guys for this helpful disclosure.

There is no clear information available today what was the root cause of the Atlassian security breach (published yesterday).

Today we got detailed information from Apache Infrastructure Team about the breakin at jira.apache.org:

1. We notified Atlassian of the previously unreported XSS attack in JIRA and contacted SliceHost. Atlassian was responsive. Unfortunately, SliceHost did nothing and 2 days later, the very same virtual host (slice) attacked Atlassian directly.
2. The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine.
3. Service isolation worked with mixed results. The attackers must be presumed to have copies of our Confluence and Bugzilla databases, as well as our JIRA database, at this point.

UNBELIEVABLE!

What todo now:

  1. Checkout all background information about this vulnerability of JIRA.
  2. Check and Upgrade all non-internal JIRA and other Atlassian systems world-wide to prevent these attacks.

And we all should never forget:
Install 3rd party applications as root and run them as user with limited privileges.

[1] Apache Infrastructure Team Incident Report (13 Apr 2010) related to jira.apache.org
[2] Max on Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Cod (13 Apr 2010)

Tuesday, 13 April 2010 at 14:21 UTC Leave a comment


Categories