Software foundation warns users to change passwords as targeted cross-site scripting, brute force attacks penetrate Apache servers.
The Apache Software Foundation warned Tuesday that its infrastructure hosting issue-tracking software suffered a direct, targeted attack putting some passwords at risk.
In a blog post announcing the attack, Apache warned users of JIRA, Bugzilla and Confluence that their passwords have likely been compromised. The organization urged all users to rotate their passwords.
The risk for most users is low to moderate, since pre-built password dictionaries are not effective, but we recommend users should still remove these passwords from use.
The attack took place April 6 and those behind it changed the JIRA bug and project tracking tool login form to steal passwords. Anyone who logged into JIRA between April 6 and April 9 likely had their password compromised, the organization said.
Apache outlined details of the attack in a blog entry.
The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Apache said that its use of one-time passwords helped limit the damage to a single host on the software foundation’s infrastructure.