Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0633
Jira Service Management Server and Data Center Advisory (CVE-2023-22501)
3 February 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jira Service Management Server
Jira Service Data Center
Publisher: Atlassian
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2023-22501
Original Bulletin:
https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-2023-02-01-1188786458.html
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
+----------------+------------------------------------------------------------+
| Summary |CVE-2023-22501 - Broken Authentication vulnerability in Jira|
| |Service Management |
+----------------+------------------------------------------------------------+
|Advisory Release|01 February 2023 10:00 AM PDT (Pacific Time, -7 hours) |
| Date | |
+----------------+------------------------------------------------------------+
| | o Jira Service Management Server |
| Product | |
| | o Jira Service Management Data Center |
+----------------+------------------------------------------------------------+
| CVE ID(s) |CVE-2023-22501 |
+----------------+------------------------------------------------------------+
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was
introduced in version 5.3.0 of Jira Service Management Server and Data Center.
The following versions are affected by this vulnerability:
o 5.3.0
o 5.3.1
o 5.3.2
o 5.4.0
o 5.4.1
o 5.5.0
An authentication vulnerability was discovered in Jira Service Management
Server and Data Center which allows an attacker to impersonate another user and
gain access to a Jira Service Management instance under certain circumstances.
With write access to a User Directory and outgoing email enabled on a Jira
Service Management instance, an attacker could gain access to signup tokens
sent to users with accounts that have never been logged into. Access to these
tokens can be obtained in two cases:
o If the attacker is included on Jira issues or requests with these users, or
o If the attacker is forwarded or otherwise gains access to emails containing
a "View Request" link from these users.
Bot accounts are particularly susceptible to this scenario. On instances with
single sign-on, external customer accounts can be affected in projects where
anyone can create their own account.
The issue can be tracked here: JSDSERVER-12312 - Getting issue details...
STATUS
+-----------------------------------------------------------------------------+
|Atlassian Cloud sites are not affected. |
| |
|If your Jira site is accessed via an atlassian.net domain, it is hosted by |
|Atlassian and you are not affected by the vulnerability. |
+-----------------------------------------------------------------------------+
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Affected Versions
Jira Service Management Server and Data Center versions 5.3.0 to 5.3.1 and
5.4.0 to 5.5.0 are affected by this vulnerability.
+----------------------------------------------+-----------------+
| Product |Affected Versions|
+----------------------------------------------+-----------------+
| | o 5.3.0 |
| | |
| | o 5.3.1 |
| | |
| | o 5.3.2 |
|Jira Service Management Server and Data Center| |
| | o 5.4.0 |
| | |
| | o 5.4.1 |
| | |
| | o 5.5.0 |
+----------------------------------------------+-----------------+
Fixed Versions
+----------------------------------------------+------------------+
| Product | Fixed Versions |
+----------------------------------------------+------------------+
| | o 5.3.3 |
| | |
| | o 5.4.2 |
|Jira Service Management Server and Data Center| |
| | o 5.5.1 |
| | |
| | o 5.6.0 or later|
+----------------------------------------------+------------------+
What You Need to Do
Atlassian recommends that you upgrade each of your affected installations to
one of the listed fixed versions (or any later version) above (see the "Fixed
Versions" section of this page for details). For a full description of the
latest version of Jira Service Management Server and Data Center, see the
release notes. You can download the latest version of Jira Service Management
and Data Center from the download center. For Frequently Asked Questions (FAQ),
click here.
Mitigation
Installing a fixed version of Jira Service Management is the recommended way to
remediate this vulnerability. If you are unable to immediately upgrade Jira
Service Management, you can manually upgrade the version-specific
servicedesk-variable-substitution-plugin JAR file as a temporary workaround.
+-----------------+-----------------------------------------------------------+
| Jira Service | |
| Management | JAR File |
| Versions | |
+-----------------+-----------------------------------------------------------+
|5.5.0 |[placeholde] |
| |servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar|
+-----------------+-----------------------------------------------------------+
|5.4.0, 5.4.1 |[placeholde] |
| |servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar|
+-----------------+-----------------------------------------------------------+
|5.3.0, 5.3.1, |[placeholde] |
|5.3.2 |servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar|
+-----------------+-----------------------------------------------------------+
To update the servicedesk-variable-substitution-plugin JAR file:
1. Download the version-specific JAR file from the table above.
2. Stop Jira.
3. Copy the JAR file into your Jira home directory.
1. For Server: <Jira_Home>/plugins/installed-plugins
2. For Data Center: <Jira_Shared>/plugins/installed-plugins
4. Start Jira.
Detection
Atlassian cannot confirm if your instance has been affected by this
vulnerability, but there are some steps you can follow to investigate your
instances for potential unauthorized access. You can see the detailed steps
outlined on the Frequently Asked Questions (FAQ) page here.
Last modified on Feb 1, 2023
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY9xh/MkNZI30y1K9AQjP3w//dUIW42s2vNhxiV1evheGviXOwcPlAVPl
J4Ocq6YRjs1x5DnnskO0dBAsUJ4/kdLds4ClbUNRlw2ffo6poZK8Q6pK5fTLMlaH
Swm+bMza8Qg3RSE7ATEsWL3b0TCtaDYnFAGiCyWUhioZS598C5+lECEdbGmgKA0O
xdzIiYK0Gqo16d0PNBwVUvYphXj06DbLh338mPJNIhdV4oIxFpKLHJNy+k0Bwqxp
LGmtEotZvTjbblwBmVWztfrc35/uXV1WkSRJoWWGRuz+lmjuOWkzZxdJBFN0QVil
M6JBHEqG3xEtiGmSGYSvBHS8NpI+QuwGQzw1cCiPThq28HTKFGdjCaT5fqZX3MT5
6TzEQ+CeEaHEjsu3E7Hr961zUJtUDl+2iBNsjyZSUIKs9/Ay9sQ8o3SnB6Ib2SYM
E0X/rtCVettfU7liKJ6k6f1UNjuRKO8VrcNLFbBjS4LEFiMzBJ/AuD9fpUQErkVw
M+ZgbzWUTTd4EQ6nwZt9pKBj17Yzz5lTheSpng1SbTcJ/GgO8ukTyyROsNRasWB0
SOnwgex+9ZZvuPEMT+x34Q15DdJqdJVvt/n6TZFORV0pg/f494HGDCKtrpYLwJQh
EuXl9ENwhSNz+sNj9+Ah5S9cJmaiXYIXQxANo+nu/BUqTERQmTahHqqPp2N9o/tz
+17a2ZlDygo=
=/e5O
-----END PGP SIGNATURE-----