9
Jul
2019
Are you using Jira Data Center? Read this important security warning
Atlassian have announced a security update that affects Jira Server and Jira Data Center products. If you use either of these products, see below for steps to address this vulnerability.
Summary of Vulnerability
Atlassian disclosed a critical severity security vulnerability which was introduced in version 4.4.0 of Jira Server & Jira Data Center. The following versions of Jira Software and Jira Core Server & Jira Software and Jira Core Data Center are affected by this vulnerability:
- 4.4.x
- 5.x.x
- 6.x.x
- 7.0.x
- 7.1.x
- 7.2.x
- 7.3.x
- 7.4.x
- 7.5.x
- 7.6.x before 7.6.14 (the fixed version for 7.6.x)
- 7.7.x
- 7.8.x
- 7.9.x
- 7.10.x
- 7.11.x
- 7.12.x
- 7.13.x before 7.13.5 (the fixed version for 7.13.x)
- 8.0.x before 8.0.3 (the fixed version for 8.0.x)
- 8.1.x before 8.1.2 (the fixed version for 8.1.x)
- 8.2.x before 8.2.3 (the fixed version for 8.2.x)
Atlassian advises customers to upgrade their Jira Server & Jira Data Center installations immediately to fix this vulnerability.
Customers who have upgraded Jira Server & Jira Data Center to versions 7.6.14, 7.13.5, 8.0.3, 8.1.2, or 8.2.3 are not affected.
If customers have downloaded and installed Jira Service Desk from version 3.0.0 before 4.2.3, they may also be affected. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.
Customers using Jira Cloud are not affected.
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published at Atlassian severity levels.
This is their assessment and you should evaluate its applicability to your own IT environment.
Description of vulnerability
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:
- an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
- an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.
In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Advice to resolve this issue
Upgrade Jira
Atlassian recommends that you upgrade to the latest version (8.2.3 or higher). For a full description of the latest version of Jira Server & Jira Data Center, see the Release Notes. The latest version of Jira Server & Jira Data Center can be downloaded through the links provided below.
If you can't upgrade to the latest version (8.2.3):
(1) If you have a current feature version (a feature version released on 10 December 2018 or later), upgrade to the next bugfix version of your current feature version.
If you have feature version…
…then upgrade to this bugfix version:
8.0.x
8.1.x
(2) If you have a current Enterprise release version (an Enterprise release version released on 10th July 2017 or later), upgrade to the latest Enterprise release version (7.13.5).
Please note that the 7.6 Enterprise release will reach End of Life in November 2019. If you are unable to upgrade to the latest Enterprise release version (7.13.5), upgrade to 7.6.14.
If you have Enterprise release version…
…then upgrade to this version:
7.6.x
7.13.5 (Recommended)
7.13.x
(3) If you have an older version (released before 10 December 2018, or an Enterprise release version released before 10th July 2017), either upgrade to the latest version, or to the latest Enterprise release version (7.13.5).
If you have older version…
…then upgrade to any of these versions:
4.4.x
5.x.x
6.x.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.5.x
7.7.x
7.8.x
7.9.x
7.10.x
7.11.x
7.12.x
Current versions
Enterprise releases
7.13.5 (Recommended)
Temporary fix if upgrading is not immediately possible
If customers are unable to upgrade Jira immediately, then a temporary workaround is suggested to address the issue:
- Disable the Contact Administrators Form; and
- Block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see instructions).
After upgrading Jira, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.