Date: 29 May 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0499
JIRA Security Advisory 2012-05-17
29 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian JIRA prior to 5.0.1
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2928 CVE-2012-2927 CVE-2012-2926
Original Bulletin:
https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
- --------------------------BEGIN INCLUDED TEXT--------------------
JIRA Security Advisory 2012-05-17
Added by Andrew Lui [Atlassian Technical Writer], last edited by Vitaly
Osipov [Atlassian] on May 24, 2012
This advisory discloses a high severity security vulnerability that exists in
all versions of JIRA up to and including 5.0.0.
Customers who have downloaded and installed JIRA should upgrade their
existing JIRA installations to fix this vulnerability. We also provide a
patch that you will be able to apply to existing installations of JIRA to
fix this vulnerability. However, we recommend that you upgrade your
complete JIRA installation rather than applying the patch.
Enterprise Hosted customers need to request an upgrade by raising a support
request at http://support.atlassian.com in the "Enterprise Hosting Support"
project.
JIRA Studio and Atlassian OnDemand customers are not affected by any of the
issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed
in this advisory has been discovered by Atlassian, unless noted otherwise. The
reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a
support request at http://support.atlassian.com/.
In this advisory:
High Severity XML Parsing Vulnerability
Severity
Description
Risk Mitigation
Fix
High Severity XML Parsing Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as high, according to
the scale published in Severity Levels for Security Issues. The scale allows us
to rank the severity as critical, high, moderate or low. This vulnerability is
not critical.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description
We have identified and fixed a vulnerability in JIRA that results from the way
third-party XML parsers are used in JIRA. This vulnerability allows an attacker
who is an authenticated JIRA user to execute denial of service attacks against
the JIRA server.
All versions of JIRA up to and including 5.0.0 are affected by this
vulnerability. This issue can be tracked here: JRA-27719
The Tempo and Gliffy for JIRA plugins are also vulnerable to this exploit. If
you are using these plugins with any version of JIRA, you will need to upgrade
them (see 'Fix' section below) or disable them.
Risk Mitigation
We recommend that you upgrade your JIRA installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately, you should
disable public access (such as anonymous access and public signup) to your JIRA
installation until you have applied the necessary patch or upgraded.
Fix
Upgrade (recommended)
Upgrade to JIRA 5.0.1 or later which fixes this vulnerability. For a full
description of this release, see the JIRA 5.0.1 Release Notes. You can
download this version of JIRA from the download centre.
Upgrade the following JIRA third-party plugins, if you are using them. The
table below describes which version of the plugin you should upgrade to,
depending on your JIRA version. See Managing JIRA's Plugins for
instructions on how to upgrade a plugin. In general, you should upgrade
these plugins to the latest available version compatible with your version
of JIRA.
Plugin JIRA 5.0 JIRA 4.4 JIRA 4.3 JIRA 4.2
Gliffy plugin for JIRA 3.7.1 3.7.1 3.7.1 3.7.1
Tempo 7.0.3 6.5.0.2 6.4.3.1 6.4.3.1
Patches (not recommended)
We recommend patching only when you can neither upgrade nor apply external
security controls. Patches are usually only provided for vulnerabilities of
critical severity (as per our Security Patch Policy), as an interim solution
until you can upgrade. You should not expect that you can continue patching
your system instead of upgrading. Our patches are often non-cumulative we do
not recommend that you apply multiple patches from different advisories on top
of each other, but strongly recommend upgrading to the most recent version
regularly.
If for some reason you cannot upgrade to the latest version of JIRA, you must
do all of the following steps to fix the vulnerability described in this
security advisory.
1. Download the patch file for your version of JIRA. Note, the patches are
only available for the point release indicated. If you are using an earlier
point release for a major version, you must upgrade to the latest point
release first.
Version Patch
JIRA 4.4.5 patch-JRA-27719-4.4.5-atlassian-bundled-plugins.zip
JIRA 4.3.4 patch-JRA-27719-4.3.4-atlassian-bundled-plugins.zip
JIRA 4.2.4 patch-JRA-27719-4.2.4-atlassian-bundled-plugins.zip
JIRA 4.1.2 patch-JRA-27719-4.1.2-atlassian-bundled-plugins.zip
2. Update the following files in your JIRA installation, as described
below.
JIRA:
Shut down JIRA.
Replace $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/atlassian-bundled-plugins.zip
with the patch file downloaded in Step 1 above.
Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
Restart JIRA.
JIRA WAR:
Replace $JIRA_WAR_INSTALL/webapp/WEB-INF/classes/atlassian-bundled-plugins.zip
with the patch file downloaded in Step 1 above.
Regenerate the WAR file.
Shut down JIRA.
Install the new WAR you generated.
Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
Restart JIRA.
3.Upgrade the following JIRA third-party plugins, if you are using them.
The table below describes which version of the plugin you should upgrade
to, depending on your JIRA version. See Managing JIRA's Plugins for
instructions on how to upgrade a plugin. In general, you should upgrade
these plugins to the latest available version compatible with your version
of JIRA.
Plugin JIRA 5.0 JIRA 4.4 JIRA 4.3 JIRA 4.2
Gliffy plugin for JIRA 3.7.1 3.7.1 3.7.1 3.7.1
Tempo 7.0.3 6.5.0.2 6.4.3.1 6.4.3.1
4. Verify that patches succeeded by checking plugin versions. Versions of
Tempo and Gliffy are listed in the table above. For the JIRA patch (step 1
above) you need to verify the version of Atlassian REST plugin.
Plugin JIRA 4.4.5 JIRA 4.3.4 JIRA 4.2.4 JIRA 4.1.2
Atlassian REST 2.5.5.1 2.4.0.1 2.1.0.1 1.0.5.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT8QeCu4yVqjM2NGpAQK4vBAAoS7f4AsAkArWFjFYsWFk06+9a1SYLEg2
XqxGMFE6QVvj16iej4j86JWdN8GuhAVgEluEYe4cORmvL1o6/7JDfbfYeFZgigxc
HuqzZJ50rHmDyTpu3M3GpS3VKDYMaiZLeHXOSvdrfgpfLvTj5kMBBnpIOuKtvFoB
7Ly0oFDAKYPPNEHDygLzkiIg6/iEIO9WMHX1u6OZ5jmDHS8aOoP/f7j8jMpDRghA
rGA9jDiO16mvafLHawK1f0diMXnOfciNM1aNpnr3SWtgaL++EyMePOtploHKFD7Y
8HQKeRdBnRAED1q3ZH27pageagL6iNm6nGHfS5A+wOx+ASTusTlTcWskMJhg4tP8
4RhqWKNCr9gPygtDrGoToOn/YvBvyz+sdYoruxBloZd14sVc8NNAa8yoR/+lsS3u
ytLAraQ1PM4s6Rl5jIFaRyQcesJve1zAc6Da6NecmjrzX/MpiAg7X1Hr62WCZs4n
coAt+0AYST6Z65gQJ4f73uzF6H8bLSixqwGBbt8TtgfgR2QX2bG1kP+V2iVJ49Ym
rbqqQaBFOhHVhNrlKYJbfN9kW/OJNdJXCpam5eNk2ZCZ2cWMuR2j3n38qzHATsMP
gtisJUTMOZxaTFD4iwiBM8VESAvDekQ3jqjFgGRXyRXQY1jXUDAsl3VC+qaBEi3z
dq2ov99Cfl4=
=kL6H
-----END PGP SIGNATURE-----
|