Get a signed plain text version of this advisory.



Monday, April 19, 2010

===============

jira.jboss.org security incident notification

- -----------------------------------------------------------------

Our jboss.org community infrastructure was recently the target of a cyber attack.

The incident was related only to jboss.org infrastructure and does not affect JBoss

Enterprise software product offerings.

The focus of this attack was jira.jboss.org, a machine which runs a free

Atlassian JIRA instance used for tracking of issues with various jboss.org

related projects. The attack was consistent with other recent high profile

attacks:

https://blogs.apache.org/infra/entry/apache_org_04_09_2010

http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html

http://in.relation.to/Bloggers/HibernateJIRACompromised

We believe the jboss.org JIRA instance was compromised via a previously

unknown cross-site scripting (XSS) attack. This attack eventually allowed

administrative access to the JIRA instance on April 11th, 2010, and subsequently

user credentials from a backend database, containing passwords hashed without a

random salt.

Just as in the recent attacks on Apache.org and Atlassian.com's sites, the

attack against the jboss.org infrastructure originated from Slicehost and

shares similar traits and tactics.



What does this mean?

- ---------------------------------

If you are a user of jboss.org services which require a login, your account

credentials may have been compromised as a result of this attack.

We strongly advise users of our services to maintain different passwords for

any other services and applications they may consume. In the event that you

may have used the same password on a system in addition to the jboss.org

related machines, we recommend that you change those passwords immediately.

We also note that JBoss Enterprise software product offerings were not impacted by this

attack.



What steps have been taken to address the issue?

- ---------------------------------------------------------------------------

We have taken a number of actions to help address and improve the security of

of our offering to the jboss.org community.

* Shortly after Altassian provided a patch for the XSS attack against JIRA,

our system administrators applied the patches to our systems.

* Our system administrators began an audit of these systems after the public

disclosures of Apache.org and Atlassian.com's recent attacks. Initial

investigation did not reveal any indications of a compromise, and we posted

these findings on the jboss.org community site on April 16, 2010.

Upon closer examination and application of a second round of patches we discovered

there had been an intrusion on the JIRA application, however, circumstances of the

attack differed slightly from previous disclosures, and left different signatures. This

discovery was made on Saturday, April 17th.

* We have quarantined the jboss.org Subversion repositories in order to

conduct an audit and help ensure their integrity before we make them

available again. We're also checking other jboss.org systems to make sure their

data has not been compromised. Our investigation to date does not show any

unintentional changes.

* We have also forced lockout on credentials that we believe may have been at

risk, and have notified the owners of those accounts as to the possible

compromise of the account information.

* We are investigating additional controls around the authentication mechanism

of this system, and will look to improve the application's security and

tolerance to attacks.

* Strong system level security, including the use of SELinux in enforcing

mode, helped ensure the integrity of the underlying OS. Detailed logging

helped track and recreate the attack.

We published this announcement so that our community members may learn from

our experiences managing through this event and will examine their own JIRA instances

accordingly to ensure that they are better protected and secured as well.

Atlassian's recent update may be of value to our users, in helping to ensure

their own JIRA instance integrity:

http://confluence.atlassian.com/display/JIRA/Security+Addendum+2010-04-16+-+Determining+if+your+public+JIRA+instance+has+been+compromised