Apache's Atlassian JIRA system compromised
The Apache Software Foundation has detailed how its hosted Atlassian JIRA, Confluence and Bugzilla systems and hashed passwords were compromised in a direct targeted attack on the open source project's infrastructure. As the JIRA and Confluence systems use a SHA-512 hash without a random salt, the Infrastructure team believe that the risk to users with simple passwords is high and recommends that most users should change their password. If users logged into Apache's JIRA between April 6th and the 9th, they should also consider their passwords compromised.
According to a detailed post-mortem report, the attackers targeted the Foundation's donated instance of the Atlassian JIRA issue tracker with a combination of cross site scripting and brute force password attacks from a compromised Slicehost server. One of the methods used worked and on April 6th, the attackers gained administrator access to the JIRA instance. The attackers used that access to install a JSP file which could browse and copy the file system.
On April 9th, the attackers added a JAR file which collected all passwords on login, saved them and generated password reset mails to the Apache Infrastructure team. One of the passwords they captured matched a local account which had full sudo access on one machine (brutus.apache.org) and they then began to attack other Apache systems. Six hours later, the attackers were noticed and the Apache Infrastructure team began shutting down services. They notified Atlassian and Slicehost of the attack and were able to restore services on April 10th. The compromised system, brutus.apache.org, has been replaced. The Confluence wiki is an exception and that service has not yet been restored.
Atlassian's own service, my.atlassian.com was subsequently targeted by the same attackers. In a blog posting, the company said that users who had accounts with the service before July 2008 should change their passwords, and if the password was used on other sites, should change those passwords too. "We made a big error" says Mike Cannon-Brookes, CEO of Atlassian, who explained that a legacy customer database which contained passwords in plain text had been compromised adding that "Even though it wasn't active, it should have been deleted". Atlassian notified all users of the compromise at the time, but then found that their servers "crumpled" under the load of "hundreds of thousands of accounts changing passwords simultaneously". Cannon-Brookes adds that no customer information or credit card details were exposed in the breach.
Atlassian has provided patches, JRA-20994 and JRA-20995, for the XSS vulnerability in JIRA and the Apache team are making a number of changes to the systems configuration to mitigate against further attacks.