Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3514.2
Jira Service Management Security Advisory
25 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Insight
Atlassian Jira Service Management Data Center
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-10054
Reference: ESB-2020.1440
Original Bulletin:
https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html
Revision History: October 25 2021: Vendor updated version and product details
October 21 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
+---------------------------+-------------------------------------------------+
| Summary |CVE-2018-10054 - Remote Code Execution through |
| |Insight - Asset Management |
+---------------------------+-------------------------------------------------+
| |20th Oct 2021 10 AM PDT (Pacific Time, -7 hours) |
| | |
| Advisory release date |(This advisory was updated on the 21st of October|
| |2021 to clarify the affected versions of Jira |
| |Service Management Server) |
+---------------------------+-------------------------------------------------+
| | o Insight - Asset Management app |
| | |
| | o Jira Service Management Data Center and |
| Product | Server |
| | |
| |Jira Service Management Cloud customers aren't |
| |affected. |
+---------------------------+-------------------------------------------------+
| |Insight - Asset Management app - Marketplace |
| |download version: |
| | |
| | o All 5.x versions |
| | |
| | o All 6.x versions |
| | |
| | o All 7.x versions |
| | |
| | o All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x,|
| | 8.6.x, 8.7.x, 8.8.x versions |
| | |
| | o All 8.9.x versions before 8.9.3 |
| | |
| |-------------------------------------------------|
| | |
| Affected versions |Jira Service Management Data Center and Server |
| |version: |
| | |
| | o All 4.15.x versions (Insight v. 9.0.x |
| | bundled) |
| | |
| | o All 4.16.x versions (Insight v. 9.0.x |
| | bundled) |
| | |
| | o All 4.17.x versions (Insight v. 9.0.x |
| | bundled) |
| | |
| | o All 4.18.x versions (Insight v. 9.0.x |
| | bundled) |
| | |
| | o All 4.19.x versions (Insight v. 9.1.0 |
| | bundled) |
+---------------------------+-------------------------------------------------+
|Fixed versions - Insight - | |
| Asset Management |8.9.3 |
| Marketplace App | |
+---------------------------+-------------------------------------------------+
| Fixed versions - Jira | |
| Service Management Data |4.20.0 (Insight v. 9.1.2 bundled) |
| Center and Server | |
+---------------------------+-------------------------------------------------+
| CVE ID(s) |CVE-2018-10054 |
+---------------------------+-------------------------------------------------+
Summary of vulnerability
This advisory discloses a critical severity security vulnerability in versions
of the Insight - Asset Management app prior to 8.9.3. This app is bundled with
Jira Service Management Data Center and Server (known as Jira Service Desk
prior to 4.14) from version 4.15.0 onwards. All versions of Jira Service
Management Data Center and Server >= 4.15.0 and < 4.20 are impacted. Affected
versions of the Insight - Asset Management app and Jira Service Management Data
Center and Server are listed in the table above (see Affected Versions).
Jira Service Management Cloud customers aren't affected by this.
Customers who have upgraded to Jira Service Management version 4.20.0 or
Insight - Asset Management app version 8.9.3 aren't affected.
If you've downloaded and installed any versions listed in the Affected versions
section, you must upgrade your installations to fix this vulnerability. If you
are unable to upgrade immediately, apply the workaround detailed below while
you plan your upgrade.
CVE-2018-10054 - RCE in Insight - Asset Management impacting Jira Service
Management Data Center and Server
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description
Insight - Asset Management has a feature to import data from several databases
(DBs). One of these DBs, the H2 DB, has a native function in its library which
an attacker can use to run code on the server (remote code execution a.k.a.
RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test
environments.
The combination of the DB import feature introduced by Insight - Asset
Management with the existing Jira H2 DB library exposed this vulnerability. The
vulnerability exists whether or not the import configuration was saved and even
if H2 was never used as a targeted DB. Accessing this vulnerability requires
the following:
o The user must be an authenticated Jira user AND
Either of the following privileges within Insight - Asset Management:
o user or group permission to "Insight administrator"
o user or group permission to "Object Schema Manager"
Jira Service Management Data Center and Server versions 4.15.0 and greater have
Insight - Asset Management already bundled.
Jira Core (Server/DC), Jira Software (Server/DC), and Jira Service Management
(Server/DC) instances on versions <= 4.15 that use H2 DB without Insight -
Asset Management installed from the Marketplace aren't affected by this
vulnerability.
This issue can be tracked here: JSDSERVER-8716 - Getting issue details...
STATUS
Acknowledgments
The issue was discovered by Khoadha (l0gg) of Viettel Cyber Security via the
Atlassian public bug bounty program.
Fix
We have taken the following steps to address this issue:
1. Released versions 4.20.0 of Jira Service Management Data Center and Server
and 8.9.3 of the Insight - Asset Management app, which disables the import
feature from making a connection to any H2 DB.
What you need to do
Atlassian recommends that you upgrade to the latest fix version but if you
can't, you should follow the mitigation steps. For a full description of the
latest version of Jira Service Management and Insight - Asset Management, see
the Jira Service Management release notes.
Upgrade
Jira Service Management Data Center and Server
For Jira Service Management Data Center and Server versions 4.15.0 and greater,
upgrade to 4.20.0 by downloading it from our software downloads page. Note that
for these versions, you can't only upgrade the Insight app from the Marketplace
as it's bundled with Jira Service Management Data Center.
Insight - Asset Management app
For:
o Jira Service Management Data Center and Server versions prior to version
4.15.0,
o Jira Core (Server/Data Center),
o Jira Software (Server/Data Center),
upgrade the Insight - Asset Management app to version 8.9.3 (which disables the
connection to any H2 DB) by downloading it from the Atlassian Marketplace.
Consider compatibility with Jira as well. The fix version (8.9.3) of the app is
compatible with:
+-----------+---------------------------------------------------+
|App version| Application compatibility |
+-----------+---------------------------------------------------+
| |Server: |
| | |
| | o Jira Core Server 8.12.0 - 8.20 |
| | |
| | o Jira Software Server 8.12.0 - 8.20 |
| | |
| | o Jira Service Management Server 4.12 - 4.14 |
|8.9.3 | |
| |Data Center: |
| | |
| | o Jira Core Data Center 8.12.0 - 8.20 |
| | |
| | o Jira Software Data Center 8.12.0 - 8.20 |
| | |
| | o Jira Service Management Data Center 4.12 - 4.14|
+-----------+---------------------------------------------------+
If you're running any other version, you must first upgrade to a version that
is compatible with the 8.9.3 app (read our security bug fix policy for
details). For example, if you're running Jira version 8.7.2 with the Insight -
Asset Management app version 8.4.1, you must first upgrade to Jira version
8.12.0 or greater to be able to install the Insight - Asset Management app
version 8.9.3. If you can't upgrade immediately, follow the mitigation steps
below.
Mitigation
If you're unable to upgrade to the latest version immediately, then as a
temporary workaround, you can mitigate the issue by deleting the H2 JAR file
that comes with Jira installation.
The mitigation steps below will prevent any instances currently using H2 from
starting up. You must migrate from the H2 database to any of the other
supported database types prior to implementing the mitigation steps in order to
keep using the instance.
H2 databases have never been supported in production environments.
For guidance on how to migrate databases, see Switching databases.
To remove the H2 JAR file:
1. Shut down Jira
2. Go to <Jira-Installation-Directory>/atlassian-jira/WEB-INF/lib/
3. Locate the h2-1.4.XYZ.jar file and delete it (where "XYZ" is a placeholder
for the version of the file, e.g. h2-1.4.200.jar)
4. Start Jira again
In a Data Center environment, a rolling restart of the nodes is sufficient
after deleting the JAR file.
Support
If you didn't receive an email for this advisory and you wish to receive such
emails in the future, go to https://my.atlassian.com/email and subscribe to
Alerts emails.
If you have questions or concerns regarding this advisory, raise a support
request at https://support.atlassian.com/.
Last modified on Oct 24, 2021
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYXY7oONLKJtyKPYoAQgqyxAAp8nLXpHfXbteDYoveFax15GB6+LT9UoH
X5MDDFX16m/AoLF03kFiFj0oScQLjAgJNw5d1LGBqCcBsKZsNzHhgys46wg+ocgi
cLiEVoqsSBQJ2+0g161JEnh4w4Rp+ORTtgFh+IG6ocXoEVVK/KTML7w00wkJY3Be
BjGDT3m94s9+1LMBzb8BtxeaQpNpFW57PTk7m26sewSOYCmSNA5Bk4GxIItmNevD
xjtr9vge9xP6nICnJCj+BBLpxOVBh1g4q/gcB5XxptiKT+MZ35JxBiAfeDbzKkP9
KuHW4rjiozQfNbl6yLdW01N72HEmnjgnHR3dheusqYbfCEu/NHuiBpV2sfnaRcMV
ub5QPhruz1RFAqvrcqtHCqTcg760kxeJLfEmV0aGz4C6SZAkLX/uy8gYimoWq7vY
yKNbV3/LuaXMzvghXzMDx3Rvbp+KZtK2RjUIe72iuB1h19M/gCoe6918KeuovBYR
VdsCgNs3allxInyu6/f2Ouy6DGHRyql0iAIqV3/Qhz6tHUhcW/ccLuoGtPpDYmel
uF/S9sHpiRJcxl4Rs5Cil2gG//YB4fp3mZOj2FGKNalvi9+WpqdO81FenANzjgug
mNbKQpf/izn7pPPorekNbEcGCMlickEVnGfXn3S/7pDs3UFPXZIkqpf8hfQ/bzC+
1ugiEYvY05Y=
=VMMm
-----END PGP SIGNATURE-----