-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Monday, April 19, 2010 =============== jira.jboss.org security incident notification - ----------------------------------------------------------------- Our jboss.org community infrastructure was recently the target of a cyber attack. The incident was related only to jboss.org infrastructure and does not affect JBoss Enterprise software product offerings. The focus of this attack was jira.jboss.org, a machine which runs a free Atlassian JIRA instance used for tracking of issues with various jboss.org related projects. The attack was consistent with other recent high profile attacks: https://blogs.apache.org/infra/entry/apache_org_04_09_2010 http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html http://in.relation.to/Bloggers/HibernateJIRACompromised We believe the jboss.org JIRA instance was compromised via a previously unknown cross-site scripting (XSS) attack. This attack eventually allowed administrative access to the JIRA instance on April 11th, 2010, and subsequently user credentials from a backend database, containing passwords hashed without a random salt. Just as in the recent attacks on Apache.org and Atlassian.com's sites, the attack against the jboss.org infrastructure originated from Slicehost and shares similar traits and tactics. What does this mean? - --------------------------------- If you are a user of jboss.org services which require a login, your account credentials may have been compromised as a result of this attack. We strongly advise users of our services to maintain different passwords for any other services and applications they may consume. In the event that you may have used the same password on a system in addition to the jboss.org related machines, we recommend that you change those passwords immediately. We also note that JBoss Enterprise software product offerings were not impacted by this attack. What steps have been taken to address the issue? - --------------------------------------------------------------------------- We have taken a number of actions to help address and improve the security of of our offering to the jboss.org community. * Shortly after Altassian provided a patch for the XSS attack against JIRA, our system administrators applied the patches to our systems. * Our system administrators began an audit of these systems after the public disclosures of Apache.org and Atlassian.com's recent attacks. Initial investigation did not reveal any indications of a compromise, and we posted these findings on the jboss.org community site on April 16, 2010. Upon closer examination and application of a second round of patches we discovered there had been an intrusion on the JIRA application, however, circumstances of the attack differed slightly from previous disclosures, and left different signatures. This discovery was made on Saturday, April 17th. * We have quarantined the jboss.org Subversion repositories in order to conduct an audit and help ensure their integrity before we make them available again. We're also checking other jboss.org systems to make sure their data has not been compromised. Our investigation to date does not show any unintentional changes. * We have also forced lockout on credentials that we believe may have been at risk, and have notified the owners of those accounts as to the possible compromise of the account information. * We are investigating additional controls around the authentication mechanism of this system, and will look to improve the application's security and tolerance to attacks. * Strong system level security, including the use of SELinux in enforcing mode, helped ensure the integrity of the underlying OS. Detailed logging helped track and recreate the attack. We published this announcement so that our community members may learn from our experiences managing through this event and will examine their own JIRA instances accordingly to ensure that they are better protected and secured as well. Atlassian's recent update may be of value to our users, in helping to ensure their own JIRA instance integrity: http://confluence.atlassian.com/display/JIRA/Security+Addendum+2010-04-16+-+Determining+if+your+public+JIRA+instance+has+been+compromised -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLzMfMXlSAg2UNWIIRAsx4AKCZRSMF65tPQwEIPuNvA5vyvWOyGACfak8m bCgYxOOR10ZnCPJCROOBuyk= =eAjd -----END PGP SIGNATURE-----