Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0835 JIRA Security Advisory 2012-08-28 3 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian JIRA Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Administrator Compromise -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28 - --------------------------BEGIN INCLUDED TEXT-------------------- JIRA Security Advisory 2012-08-28 Added by Andrew Lui [Atlassian Technical Writer], last edited by Andrew Lui [Atlassian Technical Writer] on Aug 28, 2012 (view change) This advisory discloses security vulnerabilities that we have found in JIRA and fixed in a recent version of JIRA. Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability. Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project. Atlassian OnDemand customers are not affected by any of the issues described in this advisory. Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/. In this advisory: Privilege escalation vulnerability XSS Vulnerabilities XSRF Vulnerability Open Redirect Vulnerabilities Privilege escalation vulnerability Severity Atlassian rates the severity level of this vulnerability as Critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description We have identified and fixed a privilege escalation vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass administrator-only authorisation controls via specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. As a result, the attacker will be able to execute a large number of administrative actions. This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6. This issue can be tracked here: JRA-29403 Risk Mitigation If you cannot upgrade immediately, you can disable public access to your JIRA instance. You can also turn on Secure Administrator sessions (also known as WebSudo) which will significantly reduce the number of actions available to an attacker. WebSudo does not completely mitigate this vulnerability, as it does not protect non-administrative actions. Fix Upgrade The vulnerability and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.0.7 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre. If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching. Patches JIRA version Patch File Name Patch Instructions 4.3.4 JRA-29403-4.3.4-patch.zip JRA-29403-4.3.4-patch-instructions.txt 4.4.5 JRA-29403-4.4.5-patch.zip JRA-29403-4.4.5-patch-instructions.txt 5.0.6 JRA-29403-5.0.6-patch.zip JRA-29403-5.0.6-patch-instructions.txt Instructions on how to apply patches are listed in the table above. XSS Vulnerabilities Severity Atlassian rates the severity level of these vulnerabilities as High, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity. Description We have identified and fixed nine cross-site scripting (XSS) vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web. These vulnerabilities affects JIRA 4.2 and above, and have been fixed in JIRA 5.1.1. This issue can be tracked here: JRA-29402 Risk Mitigation We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below. Fix Upgrade The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1.1 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre. Patches are not available for this vulnerability. Our thanks to Nils Juenemann who reported three of the XSS vulnerabilities mentioned in this section. Our thanks also to Conrad Rolack and Brandon Sterne who each reported one XSS vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. XSRF Vulnerability Severity Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity. Description We have identified and fixed a cross-site request forgery (XSRF) vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers). This XSRF vulnerability relates to commenting on issues. An attacker might take advantage of the vulnerability to make other users post issue comments of his choice. You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web. This vulnerability affects JIRA 4.2 and above, and has been fixed in JIRA 5.1. This issue can be tracked here: JRA-29401 Risk Mitigation We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below. Fix Upgrade The vulnerability and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre. Patches are not available for this vulnerability. Our thanks to Joo Paulo Lins of Tempest Security Intelligence, who reported the XSRF vulnerability mentioned in this section. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. Open Redirect Vulnerabilities Severity Atlassian rates the severity level of these vulnerabilities as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity. Description We have identified and fixed two open redirect vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on the URL will be redirected to a different web site. This can be used for phishing. You can read more about link manipulation attacks at Wikipedia, and about phishing at Fraud.org and other places on the web. These vulnerabilities affect JIRA 4.3.3 and above, and have been fixed in JIRA 5.1.1. This issue can be tracked here: JRA-29400 Risk Mitigation We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below. Fix Upgrade The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre. Patches are not available for this vulnerability. Our thanks to Joo Paulo Lins of Tempest Security Intelligence, who reported one of the open redirect vulnerabilities mentioned in this section. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUERCo+4yVqjM2NGpAQJEKw/+MndhJLSvOSz8LqO7n97hGojKDgy4pGME qFHWa0VnLilse67pdC9+vnR3Mj3fFr3sD17g8ZRJvKmTDjJ2SG1KCUO183/AME0G cOPutuMxcyMJtrsDDlZ+E0kji7Vy9M2/E7SEq63rOTOp5hO3RCsAiC6UpHnu+86L z5eQjrIKZs2pPdWeF9Re+8KLD9Cbi+h+3XJ9Kcw/egYfcDgNzhVAU05ZVeBqnEsw apXZMwTZmDDYQ960ooigERdKth5dWtZbuEZHEf43+hzicZRMcimWe9d8l0ZryKz+ s/yQa/cPxEOryHWymP5ATRLCbIJBatIGdxaTaO7wAYEgzCCEks2l6S/baLzj728J iT4BDobJuDxElwCi5sADDTspwIbSks1gD/oeIBLQKt22JLvr7DhSCNEfwtvLG9iA 0XPrXxQ3IOh0nWD3AKdn0k2IKZkMN8zEsokwgv3eLLQjNvPNDxxBWTIjf6Ccqjt3 qJ4JZJSTxYAQSgTwted+1vVskx99RQ4ZElNeuN162aT56RAOiwPak8+I8N9UN3Sf gYD5e/UveXr12pYiCy6qHYbXSFgkS1vAxCUQsrDZiVZzrTVUIhJbCIePGQCqKmzL D1NbaZ30nXa0RR/ZsjCbhdyh/2j/BTrJ5pECuurMuDPC3bokGopXQ+VTCEkfsafw oBI+k4oM3p0= =mOOe -----END PGP SIGNATURE-----