Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2931 CVE-2020-36239 - Missing Authentication for Ehcache RMI 31 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jira Data Center Jira Service Management Data Center Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-36239 Original Bulletin: https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html - --------------------------BEGIN INCLUDED TEXT-------------------- Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239 +---------------------------------+-------------------------------------------+ | Summary |CVE-2020-36239 - Missing Authentication for| | |Ehcache RMI | +---------------------------------+-------------------------------------------+ | |21 Jul 2021 10 AM PDT (Pacific Time, UTC -7| | Advisory Release Date |hours) | | | | | | | +---------------------------------+-------------------------------------------+ | | o Jira Data Center | | | | | | o Jira Software Data Center | | | | | | o Jira Core Data Center | | | | | | o Jira Service Management Data Center | | | | | |Note: Jira Data Center includes Jira | | |Software Data Center, and Jira Core Data | | Product |Center. | | | | | | | | |Non-Data Center instances of Jira Server | | |(Core & Software) and Jira Service | | |Management are not affected. | | | | | |Jira Cloud customers are not affected. | | | | | |Jira Service Management Cloud customers are| | |not affected. | +---------------------------------+-------------------------------------------+ | |Jira Data Center, Jira Core Data Center, | | |and Jira Software Data Center - ranges | | | | | | o 6.3.0 <= version < 8.5.16 | | | | | | o 8.6.0 <= version < 8.13.8 | | | | | | o 8.14.0 <= version < 8.17.0 | | | | | | | | |Jira Service Management Data Center - | | |ranges | | | | | | o 2.0.2 <= version < 4.5.16 | | | | | | o 4.6.0 <= version < 4.13.8 | | | | | | o 4.14.0 <= version < 4.17.0 | | | | | | | | |Jira Data Center, Jira Core Data Center, | | |and Jira Software Data Center | | | | | | o All 6.3.x, 6.4.x versions | | | | | | o All 7.0.x, 7.1.x , 7.2.x, 7.3.x, 7.4.x,| | | 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, | | | 7.10.x, 7.11.x, 7.12.x, 7.13.x versions| | Affected Versions | | | | o All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x | | | versions | | | | | | o All 8.5.x versions before 8.5.16 | | | | | | o All 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.10.x,| | | 8.11.x, 8.12.x versions | | | | | | o All 8.13.x versions before 8.13.8 | | | | | | o All 8.14.x, 8.15.x, 8.16.x versions | | | | | |Jira Service Management Data Center | | | | | | o All 2.x.x versions after 2.0.2 | | | | | | o All 3.x.x versions | | | | | | o All 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x | | | versions | | | | | | o All 4.5.x versions before 4.5.16 | | | | | | o All 4.6.x, 4.7.x, 4.8.x, 4.9.x, 4.10.x,| | | 4.11.x, 4.12.x versions | | | | | | o All 4.13.x versions before 4.13.8 | | | | | | o All 4.14.x, 4.15.x, 4.16.x versions | +---------------------------------+-------------------------------------------+ | | o Version 8.5.16 for 8.5.x LTS | | Fixed Versions - Jira Data | | | Center, Jira Core Data Center, | o Version 8.13.8 for 8.13.x LTS | | and Jira Software Data Center | | | | o Version 8.17.0 | +---------------------------------+-------------------------------------------+ | | o Version 4.5.16 for 4.5.x LTS | | Fixed Versions - Jira Service | | | Management Data Center | o Version 4.13.8 for 4.13.x LTS | | | | | | o Version 4.17.0 | +---------------------------------+-------------------------------------------+ | CVE ID |CVE-2020-36239 | +---------------------------------+-------------------------------------------+ Summary of Vulnerability This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14). Affected versions of Jira Data Center and Jira Service Management Data Center can be found in the table above (see "Affected Versions"). Customers who have downloaded and installed any versions listed in the Affected Versions section must upgrade their installations immediately to fix this vulnerability: o Jira Data Center o Jira Core Data Center o Jira Software Data Center o Jira Service Management Data Center Atlassian Cloud is not affected by the issue described on this page. Jira Cloud is not affected. Jira Service Management Cloud is not affected. Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected by the issue described on this page. Single node Data Center instances without a cluster.properties file are not affected. Customers who have upgraded Jira Data Center, Jira Core Data Center, Jira Software Data Center to versions o 8.5.16 o 8.13.8 o 8.17.0 and/or Jira Service Management Data Center to versions o 4.5.16 o 4.13.8 o 4.17.0 or higher are not affected. Missing Authentication for Ehcache RMI - CVE-2020-36239 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. [2] The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details. The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are: o From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x) o From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x) o From version 8.14.0 before 8.17.0 The versions of Jira Service Management Data Center affected by this vulnerability are: o From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x) o From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x) o From version 4.14.0 before 4.17.0 This issue can be tracked at: o JRASERVER-72566 - Getting issue details... STATUS o JSDSERVER-8454 - Getting issue details... STATUS Acknowledgements Credit for finding this vulnerability goes to Harrison Neal. Fix To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center: o 8.5.16 that contains a fix for this issue o 8.13.8 that contains a fix for this issue o 8.17.0 that contains a fix for this issue Jira Service Management Data Center versions: o 4.5.16 that contains a fix for this issue o 4.13.8 that contains a fix for this issue o 4.17.0 that contains a fix for this issue These versions can be downloaded at: o Jira Core Server: https://www.atlassian.com/software/jira/core/download o Jira Software Data Center: https://www.atlassian.com/software/jira/update o Jira Service Management Data Center: https://www.atlassian.com/software/ jira/service-management/update What You Need to Do Atlassian recommends that you upgrade to the latest version. We also recommend restricting access to the Ehcache RMI ports as per these instructions & the information found below in the Mitigation section of this page. For a full description of the latest version, see the release notes for Jira Data Center here, Jira Software Data Center here, and Jira Service Management Data Center here. You can download the latest versions of Jira Data Center and Jira Service Management Data Center from the download center (Jira Data Center | Jira Service Management Data Center). Upgrade Jira Center to version 8.17.0 or higher. If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8. Upgrade Jira Service Management Data Center to version 4.17.0 or higher. If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8. Mitigation Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center to only cluster instances via the use of firewalls or similar technologies. Data Center cluster nodes still need to be able to connect to other cluster nodes Ehcache ports. In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.1 and above ports that need to be restricted to cluster instances are: o port 40001 o port 40011 o If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.0 and below ports that need to be restricted to cluster instances are: o port 40001 o port 40011 o ports in the range 1024-65536 (in version 7.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports) o If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use In Jira Service Management Data Center versions 3.16.1 and above ports that need to be restricted to cluster instances are: o port 40001 o port 40011 o If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use In Jira Service Management Data Center versions 3.16.0 and below ports that need to be restricted are: o port 40001 o port 40011 o ports in the range 1024-65536 (in version 3.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports) o If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use Last modified on Aug 29, 2021 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYS2lpONLKJtyKPYoAQhg1hAAl+AVhBEnEzcDQg5P8MYO2sp+GeKzkUu+ vnQbKz+1zWsgzrO4un4ihKEXvC8rzZXl7wmoNNPCNJ59EUmoJ29Pj0db4q8bO5u0 thP4EAuy3EyHumtzTi7zfhC0OwpP+1aW5qmTWKjG+RbbVmUPsfXBc3LkKzFrkn77 LA4roc+MAQar1t6QptmbplbXDZQ/Gl11b1pMkAju7fNSyjDj7Ju6ryxNu5jnPbdF toWdv7Bd4xrkRUalLi+GTrIy2BEE37EoOXq8lUTkau8phbweTEnWlEHHpZjFFCvS qmJxBOy9tTgapndc6XoncqE7qar1UN37qbuA8trXBUzT5ZMxrX0/r1rFisz7hM9F tXN28wzXK2ShgZf0zWd+0/faoOLwd1zR+100sq59e9xhrIOmDQWYqgEsYdOvErK7 oB44tuw7HvsZINW76R8BvjM1XcMOAJXe/lZkJC9louvPNWd6+O3XetDZrSkSh76B ZTr72Fhht8ypxx6T1moEnUnJpZGUuBnvvIp1une7G+UQsrMnxwgb5LI7zT/nAZzy /eeCZ/Hgtt6vRPoFWQDxkb4GEMsq1+c6bQ79+uxrTGOmGQ3V5jlmqiVl0fRDPDC6 D4vSzorucOaozraKEZM/vjmS2FaLeCjeTPAXfky22c9YuKtIunPnZpBsAIjvF1ah K6bJgftoEjA= =Rdx+ -----END PGP SIGNATURE-----