-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3582
         Jira Server - Template injection in Jira Importers Plugin
                             23 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jira Server
                   Jira Data Center
Publisher:         Atlassian
Operating System:  Windows
                   Linux variants
                   Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15001  

Original Bulletin: 
   https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Jira Server - Template injection in Jira Importers Plugin - CVE-2019-15001

Advisory Release Date: 18 Sep 2019 10:00 AM PDT (Pacific Time, -7 hours)


                      Jira Server & Jira Data Center

                      Note: This includes Jira Software, Jira Core, and Jira
                      Service Desk.

       Product        Jira Cloud customers are not affected.

                      Versions listed are for Jira Core and Jira Software. 
                      Check the compatibility matrix to find the equivalent
                      version for your Jira Service Desk version.

Affected Jira Server        + 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6,
 & Jira Data Center           7.1.7, 7.1.8, 7.1.9, 7.1.10
      Versions              + 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6,
                              7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.2.11, 7.2.12,
                              7.2.13, 7.2.14, 7.2.15
                            + 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6,
                              7.3.7, 7.3.8, 7.3.9
                            + 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6
                            + 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4
                            + 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6,
                              7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12,
                              7.6.13, 7.6.14, 7.6.15
                            + 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4
                            + 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4
                            + 7.9.0, 7.9.1, 7.9.2
                            + 7.10.0, 7.10.1, 7.10.2
                            + 7.11.0, 7.11.1, 7.11.2
                            + 7.12.0, 7.12.1, 7.12.2, 7.12.3
                            + 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5,
                              7.13.6, 7.13.7
                            + 8.0.0, 8.0.1, 8.0.2, 8.0.3
                            + 8.1.0, 8.1.1, 8.1.2
                            + 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4
                            + 8.3.0, 8.3.1, 8.3.2, 8.3.3
                            + 8.4.0

                        * 7.6.16
 Fixed Jira Server &    * 7.13.8
  Jira Data Center      * 8.1.3
      Versions          * 8.2.5
                        * 8.3.4
                        * 8.4.1

      CVE ID(s)       CVE-2019-15001


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was
introduced in version 7.0.10 of Jira Server & Jira Data Center. Versions of
Jira Server & Jira Data Center affected by this vulnerability:

  * from 7.0.10 before 7.6.16 (fixed in 7.6.16)
  * from 7.7.0 before 7.13.8 (fixed in 7.13.8)
  * from 8.0.0 before 8.1.3 (fixed in 8.1.3)
  * from 8.2.0 before 8.2.5 (fixed in 8.2.5)
  * from 8.3.0 before 8.3.4 (fixed in 8.3.4) 
  * from 8.4.0 before 8.4.1 (fixed in 8.4.1)

Atlassian Cloud instances have already been upgraded to a version of Jira which
does not have the issue described on this page.

Customers who have upgraded Jira Server & Jira Data Center to version 7.13.8,
8.1.3, 8.2.5, 8.3.4, 8.4.1 or higher are not affected.

Customers who are on any of the affected versions listed above, upgrade your
 Jira Server & Jira Data Center installations immediately to fix this
vulnerability.


Template injection in Jira Importers Plugin

Severity

Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT
environment.


Description

There was a server-side template injection vulnerability in Jira Server and
Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA
Administrators" access can exploit this issue. Successful exploitation of this
issue allows an attacker to remotely execute code on systems that run a
vulnerable version of Jira Server or Data Center. 

Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16,
from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before
8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version
for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and
from 8.4.0 before 8.4.1 (the fixed version for 8.4.x)  are affected by this
vulnerability. 

Acknowledgements

We would like to acknowledge Daniil Dmitriev for finding this vulnerability.

Fix

We have released the following versions of Jira Server & Jira Data Center to
address this issue:

 1. 8.4.1 which is available for download from https://www.atlassian.com/
    software/jira/core/download
 2. 8.3.4 which is available for download from https://www.atlassian.com/
    software/jira/core/update
 3. 8.2.5 which is available for download from https://www.atlassian.com/
    software/jira/core/update
 4. 8.1.3 which is available for download from https://www.atlassian.com/
    software/jira/core/update
 5. 7.13.8 which is available for download from https://www.atlassian.com/
    software/jira/core/update
 6. 7.6.16 which is available for download from https://www.atlassian.com/
    software/jira/core/update


We have released the following versions of Jira Software Server to address this
issue:

 1. 8.4.1 which is available for download from https://www.atlassian.com/
    software/jira/download
 2. 8.3.4 which is available for download from https://www.atlassian.com/
    software/jira/update
 3. 8.2.5 which is available for download from https://www.atlassian.com/
    software/jira/update
 4. 8.1.3 which is available for download from https://www.atlassian.com/
    software/jira/update
 5. 7.13.8 which is available for download from https://www.atlassian.com/
    software/jira/update
 6. 7.6.16 which is available for download from https://www.atlassian.com/
    software/jira/update

What You Need to Do

Mitigation

If you are unable to upgrade Jira immediately or are in the process of 
migrating to Jira Cloud, then as a temporary workaround, you can block PUT
request to the following endpoint:

  * /rest/jira-importers-plugin/1.0/demo/create

Please see the following KB article with examples on how to perform this,
selecting one of the workarounds.

After upgrading JIRA to a fixed version, you can unblock the endpoint. 

Do not disable the Jira Importers Plugin.

Upgrading Jira

Atlassian recommends that you upgrade to the latest version. For a full
description of the latest version of Jira Server & Jira Data Center, see the
release notes. You can download the latest version of Jira Server & Jira Data
Center from the download center.

Upgrade Jira Server & Jira Data Center to version of 8.4.1 or higher.

If you can't upgrade to the latest version (8.4.1):

(1) If you have a current feature version (a feature version released on 10
December 2018 or later), upgrade to the next bugfix version of your current
feature version.

If you have feature version? ?then upgrade to this bugfix version:

8.0.x                        8.1.3
8.1.x                        8.1.3
8.2.x                        8.2.5
8.3.x                        8.3.4
8.4.x                        8.4.1


(2) If you have a current Enterprise release version (an Enterprise release
version released on 10th July 2017 or later), upgrade to the latest Enterprise
release version (7.13.8).


If you have Enterprise release version: then upgrade to this version:

7.6.x                                   7.6.16, 7.13.8 (recommended)
7.13.x                                  7.13.8


(3) If you have an older version (a feature version released before 10 December
2018, or an Enterprise release version released before 10th July 2017), either
upgrade to the latest version, or to the latest Enterprise release version
(7.13.8).


If you have an older version: then upgrade to any of these versions:

7.0.x
7.1.x
7.2.x                         Current versions
7.3.x                         8.1.3
7.4.x                         8.2.5
7.5.x                         8.3.4
7.7.x                         8.4.1
7.8.x                         Enterprise releases
7.9.x                         7.6.16
7.10.x                        7.13.8
7.11.x
7.12.x

Last modified on Sep 18, 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYhcBmaOgq3Tt24GAQjLCxAA1JYd88xX+jfigxHh+Y7G9jL3QGrE06gp
3DqoM1dxRIYB+W2yKK5+qaGu0MtHViL4Cw4bbSw04VdVHp6k00YtOWVyRrCRcqxF
0Z8W1Jgn8e8H4yZM1dQzyZBfdsQwQVh1Jt+4WfY1aPjvd0hNktmbH9+qXMU4qGQy
zO+6171f26OwtvnjxJ1qCdMN97z/dvuJSwLOUzQQeIiGGtDdgCYT5aV53zPBg2Uc
6ckL5wOXg+MG5m+bCN9V8ryniVdxV86yKSHwzI9X8APgsfM5KFTK3PlzWElQxFJu
AHDdr2RbE76fclJZHtfLdEl3tRJcnv62dktF2PCNqa+KliGRx/z/5CaCxih6bn9F
C9AVVyH3r0pxvyimny7H+616sFbkG6urnwfXLtOXQhOjSt0pD7y/RPXbN3eeRmc3
NlM5EGiSyqDG119OPrdup+/e9o43rL1laXsRmOP2YME4G8dYqv39Z+kF0SSIAHmh
+iB3zaR9AJsoL1sPunLqnjhAEkWlc99VBMEHPFt/AZFGclPczheAeDzSmZgeHWZE
9Qp9i9NhvyoCZveQ7eLNCNHnyv/ORn2khz9nFZ2LPJJzWsuXnfZxU1/1MbirANUJ
yFZjZFnELwpgatPCmPGRboHARlpUMEU51A9SxO567T76SrDcpGVlqr5eBMFh0MFG
Z4WJlG6oIuw=
=6wXN
-----END PGP SIGNATURE-----