Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2589 JIRA Security Advisory 2019-07-10 12 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jira Server Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11851 CVE-2019-11581 Original Bulletin: https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html - --------------------------BEGIN INCLUDED TEXT-------------------- JIRA Security Advisory 2019-07-10 Security Advisories Jira Server - Template injection in various resources - CVE-2019-11581 Summary CVE-2019-11581 - Template injection in various resources Advisory Release Date 10 Jul 2019 10 AM PDT (Pacific Time, -7 hours) Jira Server and Jira Data Center Note: This includes Jira Software, Jira Core, and Jira Service Desk. Jira Cloud customers are not affected. Product Versions listed are for Jira Core and Jira Software. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version. o 4.4.x o 5.x.x o 6.x.x o 7.0.x o 7.1.x o 7.2.x o 7.3.x o 7.4.x Affected Jira Server o 7.5.x & Jira Data Center o 7.6.x before 7.6.14 (the fixed version for 7.6.x) Versions o 7.7.x o 7.8.x o 7.9.x o 7.10.x o 7.11.x o 7.12.x o 7.13.x before 7.13.5 (the fixed version for 7.13.x) o 8.0.x before 8.0.3 (the fixed version for 8.0.x) o 8.1.x before 8.1.2 (the fixed version for 8.1.x) o 8.2.x before 8.2.3 (the fixed version for 8.2.x) o 7.6.14 Fixed Jira Server & o 7.13.5 Jira Data Center o 8.0.3 Versions o 8.1.2 o 8.2.3 CVE ID(s) CVE-2019-11581 Summary of Vulnerability This advisory discloses a critical severity security vulnerability which was introduced in version 4.4.0 of Jira Server & Jira Data Center. The following versions of Jira Server & Jira Data Center are affected by this vulnerability: o 4.4.x o 5.x.x o 6.x.x o 7.0.x o 7.1.x o 7.2.x o 7.3.x o 7.4.x o 7.5.x o 7.6.x before 7.6.14 (the fixed version for 7.6.x) o 7.7.x o 7.8.x o 7.9.x o 7.10.x o 7.11.x o 7.12.x o 7.13.x before 7.13.5 (the fixed version for 7.13.x) o 8.0.x before 8.0.3 (the fixed version for 8.0.x) o 8.1.x before 8.1.2 (the fixed version for 8.1.x), and o 8.2.x before 8.2.3 (the fixed version for 8.2.x). Customers who have upgraded Jira Server & Jira Data Center to versions 7.6.14, 7.13.5, 8.0.3, 8.1.2, or 8.2.3 are not affected. Customers using Jira Cloud are not affected. Customers who have downloaded and installed Jira Server & Jira Data Center versions: o 4.4.x o 5.x.x o 6.x.x o 7.0.x o 7.1.x o 7.2.x o 7.3.x o 7.4.x o 7.5.x o 7.6.x before 7.6.14 (the fixed version for 7.6.x) o 7.7.x o 7.8.x o 7.9.x o 7.10.x o 7.11.x o 7.12.x o 7.13.x before 7.13.5 (the fixed version for 7.13.x) o 8.0.x before 8.0.3 (the fixed version for 8.0.x) o 8.1.x before 8.1.2 (the fixed version for 8.1.x), and o 8.2.x before 8.2.3 (the fixed version for 8.2.x) Please upgrade your Jira Server & Jira Data Center installations immediately to fix this vulnerability. If you have downloaded and installed Jira Service Desk from version 3.0.0 before 4.2.3, you may be affected. The versions listed above are for Jira Software and Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version. Template injection in various resources - CVE-2019-11581 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met: o an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or o an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access. In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability. This issue can be tracked here: JRASERVER-69532 - Getting issue details... STATUS Acknowledgements We would like to acknowledge Daniil Dmitriev for finding this vulnerability. Fix We have released the following versions of Jira Server & Jira Data Center to address this issue: o 8.2.3 which is available for download from https://www.atlassian.com/ software/jira/download o 8.1.2 which is available for download from https://www.atlassian.com/ software/jira/update. o 8.0.3 which is available for download from https://www.atlassian.com/ software/jira/update. o 7.13.5 which is available for download from https://www.atlassian.com/ software/jira/update. o 7.6.14 which is available for download from https://www.atlassian.com/ software/jira/update. What You Need to Do Mitigation If you are unable to upgrade Jira immediately, then as a temporary workaround, you can: 1. Disable the Contact Administrators Form; and 2. Block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see instructions). Note that blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users. After upgrading Jira, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint. Upgrading Jira Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the Release Notes. You can download the latest version of Jira Server & Jira Data Center from the Download Center. Upgrade Jira Server & Jira Data Center to version of 8.2.3 or higher. If you can't upgrade to the latest version (8.2.3): (1) If you have a current feature version (a feature version released on 10 December 2018 or later), upgrade to the next bugfix version of your current feature version. If you have feature version... ...then upgrade to this bugfix version: 8.0.x 8.0.3 8.1.x 8.1.2 (2) If you have a current Enterprise release version (an Enterprise release version released on 10th July 2017 or later), upgrade to the latest Enterprise release version (7.13.5). Please note that the 7.6 Enterprise release will reach End of Life in November 2019. If you are unable to upgrade to the latest Enterprise release version (7.13.5), upgrade to 7.6.14. If you have Enterprise release version... ...then upgrade to this version: 7.13.5 (Recommended) 7.6.x 7.6.14 7.13.x 7.13.5 (3) If you have an older version (a feature version released before 10 December 2018, or an Enterprise release version released before 10th July 2017), either upgrade to the latest version, or to the latest Enterprise release version (7.13.5). If you have older version... ...then upgrade to any of these versions: 4.4.x 5.x.x 6.x.x 7.0.x 7.1.x Current versions 7.2.x 8.0.3 7.3.x 8.1.2 7.4.x 8.2.3 7.5.x Enterprise releases 7.7.x 7.6.14 7.8.x 7.13.5 (Recommended) 7.9.x 7.10.x 7.11.x 7.12.x Support If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. For guidance on determining whether your instance has been compromised, see Determining whether your Jira instance has been compromised by CVE-2019-11851. References As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/ Security Bug security/bug-fix-policy. We will release new maintenance releases fix Policy for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Severity Atlassian security advisories include a severity level and a CVE Levels for identifier. This severity level is based on our self-calculated security CVSS score for each specific vulnerability. CVSS is an industry issues standard vulnerability metric. You can also learn more about CVSS at FIRST.org. End of Life Our end of life policy varies for different products. Please Policy refer to our EOL Policy for details. Last modified on Jul 11, 2019 Was this helpful? - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSghjmaOgq3Tt24GAQiXqg/+PVMfNv2/AFmg1eHqdMDzg1zjoQ9TLQhZ kmvzXFK8tvBe+TbRTyzX2wQmTxLvQvxIl3jWAdGjRtp+XzKnvp8zHdp08Ec2fncZ dlFf01b6XuZ5zwMSnDV/a/N/j0jlh8jPgkqi0skSfNmGW6tx8tiGq0SdNuT8NwVQ YclneDuGm/KUcqtf0OctfTiX7bojzrpRsXGazDaeAGjt2z4XLZkTYQwhpSzik1TE vIJRmsTXa4Y0lhAPcf0uLbqvpS6QgochCmlsW2EKcsrX3epR2bhUHXqfv4o1jdNM 1QWNqKJF8VoswbvsI9EyW70Hiq/YYYB7WbYvLp7VXT/7HRjR/3NpW2CCkcHE5LGe +tz6pCroFyJpz+bkwrjppPGvuQywdLRPuX9r3GfPHoDJMfEyvuE657oQ1mxjaZWv 3xIpbYXO0NHZnsDVMRxBb3fFOI1+LPdmmFsklf/9pPV2Fjhb14ReqzlYUe0mw6Qx 00QSKaqpQqHD162TuYea3ZbicOO5yEJzpB7CGAx7tqpQMj3fhdl1wuPFJQEe/ieu yBaRCgB1sunWED1Xxqxu7Lrs2J8jDf8JRXSpC/GtBuhzWNnXCMyrCKGyePLU0OYT eNidLi7QcADO0aEo2vPgnRNs/ASMBJdiu65rMO2ug/cN2FobgHNzdsQNE1snflaR 8HvNGq/JFcE= =h+9F -----END PGP SIGNATURE-----