Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2589
JIRA Security Advisory 2019-07-10
12 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jira Server
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11851 CVE-2019-11581
Original Bulletin:
https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html
- --------------------------BEGIN INCLUDED TEXT--------------------
JIRA Security Advisory 2019-07-10
Security Advisories
Jira Server - Template injection in various resources - CVE-2019-11581
Summary CVE-2019-11581 - Template injection in various resources
Advisory Release Date 10 Jul 2019 10 AM PDT (Pacific Time, -7 hours)
Jira Server and Jira Data Center
Note: This includes Jira Software, Jira Core, and Jira
Service Desk. Jira Cloud customers are not affected.
Product
Versions listed are for Jira Core and Jira Software.
Check the compatibility matrix to find the equivalent
version for your Jira Service Desk version.
o 4.4.x
o 5.x.x
o 6.x.x
o 7.0.x
o 7.1.x
o 7.2.x
o 7.3.x
o 7.4.x
Affected Jira Server o 7.5.x
& Jira Data Center o 7.6.x before 7.6.14 (the fixed version for 7.6.x)
Versions o 7.7.x
o 7.8.x
o 7.9.x
o 7.10.x
o 7.11.x
o 7.12.x
o 7.13.x before 7.13.5 (the fixed version for 7.13.x)
o 8.0.x before 8.0.3 (the fixed version for 8.0.x)
o 8.1.x before 8.1.2 (the fixed version for 8.1.x)
o 8.2.x before 8.2.3 (the fixed version for 8.2.x)
o 7.6.14
Fixed Jira Server & o 7.13.5
Jira Data Center o 8.0.3
Versions o 8.1.2
o 8.2.3
CVE ID(s) CVE-2019-11581
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was
introduced in version 4.4.0 of Jira Server & Jira Data Center. The following
versions of Jira Server & Jira Data Center are affected by this vulnerability:
o 4.4.x
o 5.x.x
o 6.x.x
o 7.0.x
o 7.1.x
o 7.2.x
o 7.3.x
o 7.4.x
o 7.5.x
o 7.6.x before 7.6.14 (the fixed version for 7.6.x)
o 7.7.x
o 7.8.x
o 7.9.x
o 7.10.x
o 7.11.x
o 7.12.x
o 7.13.x before 7.13.5 (the fixed version for 7.13.x)
o 8.0.x before 8.0.3 (the fixed version for 8.0.x)
o 8.1.x before 8.1.2 (the fixed version for 8.1.x), and
o 8.2.x before 8.2.3 (the fixed version for 8.2.x).
Customers who have upgraded Jira Server & Jira Data Center to
versions 7.6.14, 7.13.5, 8.0.3, 8.1.2, or 8.2.3 are not affected.
Customers using Jira Cloud are not affected.
Customers who have downloaded and installed Jira Server & Jira Data Center
versions:
o 4.4.x
o 5.x.x
o 6.x.x
o 7.0.x
o 7.1.x
o 7.2.x
o 7.3.x
o 7.4.x
o 7.5.x
o 7.6.x before 7.6.14 (the fixed version for 7.6.x)
o 7.7.x
o 7.8.x
o 7.9.x
o 7.10.x
o 7.11.x
o 7.12.x
o 7.13.x before 7.13.5 (the fixed version for 7.13.x)
o 8.0.x before 8.0.3 (the fixed version for 8.0.x)
o 8.1.x before 8.1.2 (the fixed version for 8.1.x), and
o 8.2.x before 8.2.3 (the fixed version for 8.2.x)
Please upgrade your Jira Server & Jira Data Center installations immediately to
fix this vulnerability.
If you have downloaded and installed Jira Service Desk from version 3.0.0
before 4.2.3, you may be affected.
The versions listed above are for Jira Software and Jira Core. Check the
compatibility matrix to find the equivalent version for your Jira Service Desk
version.
Template injection in various resources - CVE-2019-11581
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description
There was a server-side template injection vulnerability in Jira Server and
Data Center, in the ContactAdministrators and the SendBulkMail actions. For
this issue to be exploitable at least one of the following conditions must be
met:
o an SMTP server has been configured in Jira and the Contact Administrators
Form is enabled; or
o an SMTP server has been configured in Jira and an attacker has "JIRA
Administrators" access.
In the first case, where the Contact Administrators Form is enabled, attackers
are able to exploit this issue without authentication. In the second case,
attackers with "JIRA Administrators" access can exploit this issue. In either
case, successful exploitation of this issue allows an attacker to remotely
execute code on systems that run a vulnerable version of Jira Server or Data
Center.
All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed
version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x),
from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2
(the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this
vulnerability. This issue can be tracked here: JRASERVER-69532 - Getting issue
details... STATUS
Acknowledgements
We would like to acknowledge Daniil Dmitriev for finding this vulnerability.
Fix
We have released the following versions of Jira Server & Jira Data Center to
address this issue:
o 8.2.3 which is available for download from https://www.atlassian.com/
software/jira/download
o 8.1.2 which is available for download from https://www.atlassian.com/
software/jira/update.
o 8.0.3 which is available for download from https://www.atlassian.com/
software/jira/update.
o 7.13.5 which is available for download from https://www.atlassian.com/
software/jira/update.
o 7.6.14 which is available for download from https://www.atlassian.com/
software/jira/update.
What You Need to Do
Mitigation
If you are unable to upgrade Jira immediately, then as a temporary workaround,
you can:
1. Disable the Contact Administrators Form; and
2. Block the /secure/admin/SendBulkMail!default.jspa endpoint from being
accessed. This can be achieved by denying access in the reverse-proxy, load
balancer, or Tomcat directly (see instructions).
Note that blocking the SendBulkMail endpoint will prevent Jira
Administrators from being able to send bulk emails to users.
After upgrading Jira, you can re-enable the Administrator Contact Form, and
unblock the SendBulkMail endpoint.
Upgrading Jira
Atlassian recommends that you upgrade to the latest version. For a full
description of the latest version of Jira Server & Jira Data Center, see the
Release Notes. You can download the latest version of Jira Server & Jira Data
Center from the Download Center.
Upgrade Jira Server & Jira Data Center to version of 8.2.3 or higher.
If you can't upgrade to the latest version (8.2.3):
(1) If you have a current feature version (a feature version released on 10
December 2018 or later), upgrade to the next bugfix version of your current
feature version.
If you have feature version... ...then upgrade to this bugfix version:
8.0.x 8.0.3
8.1.x 8.1.2
(2) If you have a current Enterprise release version (an Enterprise release
version released on 10th July 2017 or later), upgrade to the latest Enterprise
release version (7.13.5).
Please note that the 7.6 Enterprise release will reach End of Life in November
2019. If you are unable to upgrade to the latest Enterprise release version
(7.13.5), upgrade to 7.6.14.
If you have Enterprise release version... ...then upgrade to this version:
7.13.5 (Recommended)
7.6.x
7.6.14
7.13.x 7.13.5
(3) If you have an older version (a feature version released before 10 December
2018, or an Enterprise release version released before 10th July 2017), either
upgrade to the latest version, or to the latest Enterprise release version
(7.13.5).
If you have older version... ...then upgrade to any of these versions:
4.4.x
5.x.x
6.x.x
7.0.x
7.1.x Current versions
7.2.x 8.0.3
7.3.x 8.1.2
7.4.x 8.2.3
7.5.x Enterprise releases
7.7.x 7.6.14
7.8.x 7.13.5 (Recommended)
7.9.x
7.10.x
7.11.x
7.12.x
Support
If you did not receive an email for this advisory and you wish to receive such
emails in the future go to https://my.atlassian.com/email and subscribe
to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
For guidance on determining whether your instance has been compromised, see
Determining whether your Jira instance has been compromised by CVE-2019-11851.
References
As per our new policy critical security bug fixes will be back
ported in accordance with https://www.atlassian.com/trust/
Security Bug security/bug-fix-policy. We will release new maintenance releases
fix Policy for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Severity Atlassian security advisories include a severity level and a CVE
Levels for identifier. This severity level is based on our self-calculated
security CVSS score for each specific vulnerability. CVSS is an industry
issues standard vulnerability metric. You can also learn more about CVSS
at FIRST.org.
End of Life Our end of life policy varies for different products. Please
Policy refer to our EOL Policy for details.
Last modified on Jul 11, 2019
Was this helpful?
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSghjmaOgq3Tt24GAQiXqg/+PVMfNv2/AFmg1eHqdMDzg1zjoQ9TLQhZ
kmvzXFK8tvBe+TbRTyzX2wQmTxLvQvxIl3jWAdGjRtp+XzKnvp8zHdp08Ec2fncZ
dlFf01b6XuZ5zwMSnDV/a/N/j0jlh8jPgkqi0skSfNmGW6tx8tiGq0SdNuT8NwVQ
YclneDuGm/KUcqtf0OctfTiX7bojzrpRsXGazDaeAGjt2z4XLZkTYQwhpSzik1TE
vIJRmsTXa4Y0lhAPcf0uLbqvpS6QgochCmlsW2EKcsrX3epR2bhUHXqfv4o1jdNM
1QWNqKJF8VoswbvsI9EyW70Hiq/YYYB7WbYvLp7VXT/7HRjR/3NpW2CCkcHE5LGe
+tz6pCroFyJpz+bkwrjppPGvuQywdLRPuX9r3GfPHoDJMfEyvuE657oQ1mxjaZWv
3xIpbYXO0NHZnsDVMRxBb3fFOI1+LPdmmFsklf/9pPV2Fjhb14ReqzlYUe0mw6Qx
00QSKaqpQqHD162TuYea3ZbicOO5yEJzpB7CGAx7tqpQMj3fhdl1wuPFJQEe/ieu
yBaRCgB1sunWED1Xxqxu7Lrs2J8jDf8JRXSpC/GtBuhzWNnXCMyrCKGyePLU0OYT
eNidLi7QcADO0aEo2vPgnRNs/ASMBJdiu65rMO2ug/cN2FobgHNzdsQNE1snflaR
8HvNGq/JFcE=
=h+9F
-----END PGP SIGNATURE-----