Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2931
CVE-2020-36239 - Missing Authentication for Ehcache RMI
31 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jira Data Center
Jira Service Management Data Center
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-36239
Original Bulletin:
https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Jira Data Center & Jira Service Management Data Center - Missing Authentication
for Ehcache RMI - CVE-2020-36239
+---------------------------------+-------------------------------------------+
| Summary |CVE-2020-36239 - Missing Authentication for|
| |Ehcache RMI |
+---------------------------------+-------------------------------------------+
| |21 Jul 2021 10 AM PDT (Pacific Time, UTC -7|
| Advisory Release Date |hours) |
| | |
| | |
+---------------------------------+-------------------------------------------+
| | o Jira Data Center |
| | |
| | o Jira Software Data Center |
| | |
| | o Jira Core Data Center |
| | |
| | o Jira Service Management Data Center |
| | |
| |Note: Jira Data Center includes Jira |
| |Software Data Center, and Jira Core Data |
| Product |Center. |
| | |
| | |
| |Non-Data Center instances of Jira Server |
| |(Core & Software) and Jira Service |
| |Management are not affected. |
| | |
| |Jira Cloud customers are not affected. |
| | |
| |Jira Service Management Cloud customers are|
| |not affected. |
+---------------------------------+-------------------------------------------+
| |Jira Data Center, Jira Core Data Center, |
| |and Jira Software Data Center - ranges |
| | |
| | o 6.3.0 <= version < 8.5.16 |
| | |
| | o 8.6.0 <= version < 8.13.8 |
| | |
| | o 8.14.0 <= version < 8.17.0 |
| | |
| | |
| |Jira Service Management Data Center - |
| |ranges |
| | |
| | o 2.0.2 <= version < 4.5.16 |
| | |
| | o 4.6.0 <= version < 4.13.8 |
| | |
| | o 4.14.0 <= version < 4.17.0 |
| | |
| | |
| |Jira Data Center, Jira Core Data Center, |
| |and Jira Software Data Center |
| | |
| | o All 6.3.x, 6.4.x versions |
| | |
| | o All 7.0.x, 7.1.x , 7.2.x, 7.3.x, 7.4.x,|
| | 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, |
| | 7.10.x, 7.11.x, 7.12.x, 7.13.x versions|
| Affected Versions | |
| | o All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x |
| | versions |
| | |
| | o All 8.5.x versions before 8.5.16 |
| | |
| | o All 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.10.x,|
| | 8.11.x, 8.12.x versions |
| | |
| | o All 8.13.x versions before 8.13.8 |
| | |
| | o All 8.14.x, 8.15.x, 8.16.x versions |
| | |
| |Jira Service Management Data Center |
| | |
| | o All 2.x.x versions after 2.0.2 |
| | |
| | o All 3.x.x versions |
| | |
| | o All 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x |
| | versions |
| | |
| | o All 4.5.x versions before 4.5.16 |
| | |
| | o All 4.6.x, 4.7.x, 4.8.x, 4.9.x, 4.10.x,|
| | 4.11.x, 4.12.x versions |
| | |
| | o All 4.13.x versions before 4.13.8 |
| | |
| | o All 4.14.x, 4.15.x, 4.16.x versions |
+---------------------------------+-------------------------------------------+
| | o Version 8.5.16 for 8.5.x LTS |
| Fixed Versions - Jira Data | |
| Center, Jira Core Data Center, | o Version 8.13.8 for 8.13.x LTS |
| and Jira Software Data Center | |
| | o Version 8.17.0 |
+---------------------------------+-------------------------------------------+
| | o Version 4.5.16 for 4.5.x LTS |
| Fixed Versions - Jira Service | |
| Management Data Center | o Version 4.13.8 for 4.13.x LTS |
| | |
| | o Version 4.17.0 |
+---------------------------------+-------------------------------------------+
| CVE ID |CVE-2020-36239 |
+---------------------------------+-------------------------------------------+
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability introduced
in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data
Center, and Jira Service Management Data Center (known as Jira Service Desk
prior to 4.14). Affected versions of Jira Data Center and Jira Service
Management Data Center can be found in the table above (see "Affected
Versions").
Customers who have downloaded and installed any versions listed in the Affected
Versions section must upgrade their installations immediately to fix this
vulnerability:
o Jira Data Center
o Jira Core Data Center
o Jira Software Data Center
o Jira Service Management Data Center
Atlassian Cloud is not affected by the issue described on this page.
Jira Cloud is not affected.
Jira Service Management Cloud is not affected.
Non-Data Center instances of Jira Server (Core & Software) and Jira Service
Management are not affected by the issue described on this page.
Single node Data Center instances without a cluster.properties file are not
affected.
Customers who have upgraded Jira Data Center, Jira Core Data Center, Jira
Software Data Center to versions
o 8.5.16
o 8.13.8
o 8.17.0
and/or Jira Service Management Data Center to versions
o 4.5.16
o 4.13.8
o 4.17.0
or higher are not affected.
Missing Authentication for Ehcache RMI - CVE-2020-36239
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description
Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira
Service Management Data Center exposed a Ehcache RMI network service which
attackers, who can connect to the service, on port 40001 and potentially 40011
[0][1][2], could execute arbitrary code of their choice in Jira through
deserialization due to a missing authentication vulnerability. While Atlassian
strongly suggests restricting access to the Ehcache ports to only Data Center
instances, fixed versions of Jira will now require a shared secret in order to
allow access to the Ehcache service.
[0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center
versions prior to 7.13.1, the Ehcache object port can be randomly allocated.
[1] In Jira Service Management Data Center versions prior to 3.16.1, the
Ehcache object port can be randomly allocated.
[2] The default Ehcache port is 40001 but it can be configured to be on a
different port, see Installing JIRA Data Center for more details.
The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data
Center affected by this vulnerability are:
o From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
o From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
o From version 8.14.0 before 8.17.0
The versions of Jira Service Management Data Center affected by this
vulnerability are:
o From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
o From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
o From version 4.14.0 before 4.17.0
This issue can be tracked at:
o JRASERVER-72566 - Getting issue details... STATUS
o JSDSERVER-8454 - Getting issue details... STATUS
Acknowledgements
Credit for finding this vulnerability goes to Harrison Neal.
Fix
To address these issues, we have released Jira Data Center, Jira Core Data
Center, and Jira Software Data Center:
o 8.5.16 that contains a fix for this issue
o 8.13.8 that contains a fix for this issue
o 8.17.0 that contains a fix for this issue
Jira Service Management Data Center versions:
o 4.5.16 that contains a fix for this issue
o 4.13.8 that contains a fix for this issue
o 4.17.0 that contains a fix for this issue
These versions can be downloaded at:
o Jira Core Server: https://www.atlassian.com/software/jira/core/download
o Jira Software Data Center: https://www.atlassian.com/software/jira/update
o Jira Service Management Data Center: https://www.atlassian.com/software/
jira/service-management/update
What You Need to Do
Atlassian recommends that you upgrade to the latest version. We also recommend
restricting access to the Ehcache RMI ports as per these instructions & the
information found below in the Mitigation section of this page. For a full
description of the latest version, see the release notes for Jira Data Center
here, Jira Software Data Center here, and Jira Service Management Data Center
here. You can download the latest versions of Jira Data Center and Jira Service
Management Data Center from the download center (Jira Data Center | Jira
Service Management Data Center).
Upgrade Jira Center to version 8.17.0 or higher.
If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8.
Upgrade Jira Service Management Data Center to version 4.17.0 or higher.
If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8.
Mitigation
Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data
Center, and Jira Software Data Center, and Jira Service Management Data Center
to only cluster instances via the use of firewalls or similar technologies.
Data Center cluster nodes still need to be able to connect to other cluster
nodes Ehcache ports.
In Jira Data Center, Jira Core Data Center, and Jira Software Data Center
versions 7.13.1 and above ports that need to be restricted to cluster instances
are:
o port 40001
o port 40011
o If you have changed from using the default Ehcache RMI ports as per
Installing JIRA Data Center, then you will need to restrict access to
cluster instances to the specific ports that you have configured Ehcache
RMI to use
In Jira Data Center, Jira Core Data Center, and Jira Software Data Center
versions 7.13.0 and below ports that need to be restricted to cluster instances
are:
o port 40001
o port 40011
o ports in the range 1024-65536 (in version 7.3.1 and above you can apply the
workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to
avoid needing to restrict access to these ports)
o If you have changed from using the default Ehcache RMI ports as per
Installing JIRA Data Center, then you will need to restrict access to
cluster instances to the specific ports that you have configured Ehcache
RMI to use
In Jira Service Management Data Center versions 3.16.1 and above ports that
need to be restricted to cluster instances are:
o port 40001
o port 40011
o If you have changed from using the default Ehcache RMI ports as per
Installing JIRA Data Center, then you will need to restrict access to
cluster instances to the specific ports that you have configured Ehcache
RMI to use
In Jira Service Management Data Center versions 3.16.0 and below ports that
need to be restricted are:
o port 40001
o port 40011
o ports in the range 1024-65536 (in version 3.3.1 and above you can apply the
workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to
avoid needing to restrict access to these ports)
o If you have changed from using the default Ehcache RMI ports as per
Installing JIRA Data Center, then you will need to restrict access to
cluster instances to the specific ports that you have configured Ehcache
RMI to use
Last modified on Aug 29, 2021
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYS2lpONLKJtyKPYoAQhg1hAAl+AVhBEnEzcDQg5P8MYO2sp+GeKzkUu+
vnQbKz+1zWsgzrO4un4ihKEXvC8rzZXl7wmoNNPCNJ59EUmoJ29Pj0db4q8bO5u0
thP4EAuy3EyHumtzTi7zfhC0OwpP+1aW5qmTWKjG+RbbVmUPsfXBc3LkKzFrkn77
LA4roc+MAQar1t6QptmbplbXDZQ/Gl11b1pMkAju7fNSyjDj7Ju6ryxNu5jnPbdF
toWdv7Bd4xrkRUalLi+GTrIy2BEE37EoOXq8lUTkau8phbweTEnWlEHHpZjFFCvS
qmJxBOy9tTgapndc6XoncqE7qar1UN37qbuA8trXBUzT5ZMxrX0/r1rFisz7hM9F
tXN28wzXK2ShgZf0zWd+0/faoOLwd1zR+100sq59e9xhrIOmDQWYqgEsYdOvErK7
oB44tuw7HvsZINW76R8BvjM1XcMOAJXe/lZkJC9louvPNWd6+O3XetDZrSkSh76B
ZTr72Fhht8ypxx6T1moEnUnJpZGUuBnvvIp1une7G+UQsrMnxwgb5LI7zT/nAZzy
/eeCZ/Hgtt6vRPoFWQDxkb4GEMsq1+c6bQ79+uxrTGOmGQ3V5jlmqiVl0fRDPDC6
D4vSzorucOaozraKEZM/vjmS2FaLeCjeTPAXfky22c9YuKtIunPnZpBsAIjvF1ah
K6bJgftoEjA=
=Rdx+
-----END PGP SIGNATURE-----