The Apache Software Foundation (ASF) announces that several of its services were targeted in a complex attack that led to a server being completely hacked and another partially compromised. A considerable number of possibly insecure password hashes have also been lifted from the organization's systems.
The attack started on April 5 when someone created a fake error report in JIRA, a proprietary project management solution developed by a company called Atlassian and used by the ASF. The rogue entry contained a TinyURL-shortened link, which, if opened, exploited an undisclosed JIRA cross-site scripting (XSS) vulnerability to steal session cookies for logged in users.
"When this issue was opened against the Infrastructure team, several of our administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights," Philip Gollucci, the foundation's vice president in charge of infrastructure, explained. He also noted that, at the same time, the JIRA login page was subjected to a brute force password guessing attack.
After obtaining a set of valid administrative credentials for the project management system, the attackers located a writable directory on the server and used it to execute malicious scripts. This allowed them to install a password logging component and capture additional JIRA logins.
"One of these passwords happened to be the same as the password to a local user account on brutus.apache.org, and this local user account had full sudo access. The attackers were thereby able to login to brutus.apache.org, and gain full root access to the machine. This machine hosted the Apache installs of JIRA, Confluence, and Bugzilla," Mr. Gollucci said.
Furthermore, using cached SVN passwords found on the "rooted" server, the attackers managed to log into several limited shell accounts on minotaur.apache.org. This server, which is also known as people.apache.org, hosts accounts for all Apache developers and was the target of a different attack in August last year. Fortunately, the attackers did not manage to escalate the privileges on this machine as well.
Users of Apache Foundation's JIRA, Bugzilla and Confluence (wiki) systems, all running on the compromised server, are advised that their passwords could be recovered from the stolen hashes. JIRA users in particular, who logged in between April 6 and April 9, should consider their passwords already compromised as they were logged via the login form.
Apache.org's infrastructure team has already taken several steps to prevent similar attacks in the future and the response received from the community so far is overwhelmingly positive. The majority of users congratulate the organization for its openness when dealing with incidents such as this one.