Date: 07 December 2010
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.1102
JIRA Security Advisory 2010-12-06
7 December 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian JIRA prior to 4.2.1
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-12-06#JIRASecurityAdvisory2010-12-06-XSSVulnerabilitiesinURLQueryStrings
- --------------------------BEGIN INCLUDED TEXT--------------------
JIRA Security Advisory 2010-12-06
* Added by Rosie Jameson [Atlassian Technical Writer], last edited by
Morgan Friberg [Atlassian] on Dec 06, 2010 (view change)
In this advisory:
* XSS Vulnerabilities in URL Query Strings
* XSRF Vulnerabilities
* Vulnerability in Secure Tokens
* Vulnerability in Component Data
XSS Vulnerabilities in URL Query Strings
Severity
Atlassian rates these vulnerabilities as high, according to the scale published
in Severity Levels for Security Issues. The scale allows us to rank a
vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a number of cross-site scripting (XSS)
vulnerabilities which may affect JIRA instances. These vulnerabilities have
security implications and are especially important for anyone running publicly
accessible instances of JIRA. XSS vulnerabilities allow an attacker to embed
their own JavaScript into a JIRA page. You can read more about XSS attacks at
cgisecurity, the Web Application Security Consortium and other places on the
web.
Vulnerability
Some values from JIRA URLs were being injected directly into JavaScript,
potentially enabling an attacker to add scripts to another user's response.
All versions of JIRA prior to 4.2.1 are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix these
vulnerabilities. Please see the 'Fix' section below.
Fix
These issues have been fixed in JIRA 4.2.1 and later, and are available as a
patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see JRA-22493).
XSRF Vulnerabilities
Severity
Atlassian rates this vulnerability as high, according to the scale published
in Severity Levels for Security Issues. The scale allows us to rank a
vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed several cross-site request forgery (XSRF/CSRF)
vulnerabilities in JIRA. These vulnerabilities have security implications and
are especially important for anyone running publicly accessible instances of
JIRA.
* An attacker might take advantage of the vulnerability to fraudulently
act on behalf of a legitimate user.
You can read more about XSRF/CSRF attacks at cgisecurity, wikipedia and other
places on the web.
Vulnerability
Some JIRA administration screens did not have XSRF protection. A targetted
attack on a vulnerable system could result in an attacker gaining access to
user credentials, potentially giving them access to the JIRA data and system.
All versions of JIRA prior to 4.2.1 are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix these
vulnerabilities. Please see the 'Fix' section below.
Fix
JIRA's XSRF protection has been extended to cover previously unprotected
areas. The known XSRF issues have been fixed in JIRA 4.2.1 and later, and
are available as a patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see
JRA-22493).
Vulnerability in Secure Tokens
Severity
Atlassian rates this vulnerability as moderate, according to the scale
published in Severity Levels for Security Issues. The scale allows us to
rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a vulnerability relating to the creation of
secure tokens, which are used in various authentication mechanisms. These
vulnerabilities have security implications and are especially important for
anyone running publicly accessible instances of JIRA.
* Unauthorised users may be able to gain access to JIRA on behalf of a
legitimate user.
Vulnerability
A highly skilled attacker could potentially forge a secure token, allowing
them to impersonate a legitimate user.
All versions of JIRA prior to 4.2 are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix this
vulnerabily.
Please see the 'Fix' section below.
Fix
This issue has been fixed in JIRA 4.2 and later. The random number-generator
that is used to generate tokens has been hardened.
Vulnerability in Component Data
Severity
Atlassian rates this vulnerability as low, according to the scale published
in Severity Levels for Security Issues. The scale allows us to rank a
vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a data vulnerability in JIRA. This vulnerability
has security implications and is especially important for anyone running
publicly accessible instances of JIRA.
* Unauthorised users may be able to view a list of components defined in
your JIRA system.
Vulnerability
Component data could be view by unauthorised users.
All versions of JIRA prior to 4.2 are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix this
vulnerabily.
Please see the 'Fix' section below.
Fix
This issue has been fixed in JIRA 4.2 and later.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFM/byW/iFOrG6YcBERAmFeAKDHXQlhqDxEaN6xMt3IVkburMlhrwCfSBS4
SGSZHLyT4ID4oOPaepZVhSo=
=uYHz
-----END PGP SIGNATURE-----
|