Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3163.2
CVE-2022-26135 - Full-Read Server Side Request Forgery in
Mobile Plugin for Jira Data Center and Server
1 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jira Core Server
Jira Software Server
Jira Software Data Center
Jira Service Management Server
Jira Service Management Data Center
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26135
Original Bulletin:
https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html
Comment: CVSS (Max): None available when published
Revision History: July 1 2022: Vendor updated the Mitigation section
June 30 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
+-------------+---------------------------------------------------------------+
| Summary |CVE-2022-26135 - Full-Read Server Side Request Forgery in |
| |Mobile Plugin for Jira Data Center and Server |
+-------------+---------------------------------------------------------------+
| Advisory |29 Jun 2022 10:00 AM PDT (Pacific Time, -7 hours) |
|Release Date | |
+-------------+---------------------------------------------------------------+
| |Jira: |
| | |
| | o Jira Core Server |
| | o Jira Software Server |
| Product | o Jira Software Data Center |
| | |
| |Jira Service Management (JSM): |
| | |
| | o Jira Service Management Server |
| | o Jira Service Management Data Center |
+-------------+---------------------------------------------------------------+
| |Jira Core Server, Jira Software Server, and Jira Software Data |
| |Center: |
| | |
| | o Versions after 8.0 and before 8.13.22 |
| | o 8.14.x |
| | o 8.15.x |
| | o 8.16.x |
| | o 8.17.x |
| | o 8.18.x |
| | o 8.19.x |
| | o 8.20.x before 8.20.10 |
| | o 8.21.x |
| | o 8.22.x before 8.22.4 |
| Affected | |
| Versions |Jira Service Management Server and Data Center: |
| | |
| | o Versions after 4.0 and before 4.13.22 |
| | o 4.14.x |
| | o 4.15.x |
| | o 4.16.x |
| | o 4.17.x |
| | o 4.18.x |
| | o 4.19.x |
| | o 4.20.x before 4.20.10 |
| | o 4.21.x |
| | o 4.22.x before 4.22.4 |
| | |
| |Jira Cloud and Jira Service Management Cloud are not affected. |
+-------------+---------------------------------------------------------------+
| |Jira Core Server, Jira Software Server, and Jira Software Data |
| |Center: |
| | |
| | o 8.13.x >= 8.13.22 |
| | o 8.20.x >= 8.20.10 |
| | o 8.22.x >= 8.22.4 |
| Fixed | o 9.0.0 |
| Versions | |
| |Jira Service Management Server and Data Center: |
| | |
| | o 4.13.x >= 4.13.22 |
| | o 4.20.x >= 4.20.10 |
| | o 4.22.x >= 4.22.4 |
| | o 5.0.0 |
+-------------+---------------------------------------------------------------+
| CVE ID(s) |CVE-2022-26135 |
+-------------+---------------------------------------------------------------+
Summary of Vulnerability
This advisory discloses a high severity security vulnerability.
Jira Server and Data Center versions before 8.13.22, from version 8.14.0 before
8.20.10, and from version 8.21.0 before 8.22.4 are affected by this
vulnerability.
Jira Service Management Server and Data Center versions before 4.13.22, from
version 4.14.0 before 4.20.10, and from version 4.21.0 before 4.22.4 are
affected by this vulnerability.
+-----------------------------------------------------------------------------+
|Atlassian Cloud sites are not affected. |
| |
|If your Jira site is accessed via an atlassian.net domain, you are not |
|affected by the vulnerability. |
+-----------------------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|Customers who have upgraded to version 8.13.22, 8.20.10, 8.22.4, or 9.0.0 of |
|Jira Server or Data Center are not affected. |
| |
|Customers who have upgraded to version 4.13.22, 4.20.10, 4.22.4, or 5.0.0 of |
|Jira Service Management Server or Data Center are not affected. |
+-----------------------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|Customers who have downloaded and installed any versions listed in affected |
|versions must upgrade their installations to fix this vulnerability. |
| |
|Please upgrade your installations immediately. |
+-----------------------------------------------------------------------------+
CVE-2022-26135 Full Read SSRF in Jira Server
Description
A full-read server-side request forgery exists in Mobile Plugin for Jira, which
is bundled with Jira and Jira Service Management. It is exploitable by any
authenticated user (including a user who joined via the sign-up feature). It
specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It
is possible to control the HTTP method and location of the intended URL through
the method parameter in the body of the vulnerable endpoint.
All versions of Jira and Jira Service Management prior to the fixed version
listed above are affected by this vulnerability. These issues can be tracked
here:
o JRASERVER-73863 - Getting issue details... STATUS
o JSDSERVER-11840 - Getting issue details... STATUS
This does not affect the other System app named Jira Mobile.
Severity
Atlassian rates the severity level of this vulnerability as high, according to
the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, medium, or low.
Depending on the environment the Jira instance is deployed in, the impact of
this bug varies. For example, when deployed in AWS, it could leak sensitive
credentials.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Acknowledgements
We would like to acknowledge Shubham Shah and Dylan Pindur of Assetnote for
finding this vulnerability.
Fix
To address this issue, we have released:
o Jira Core Server, Jira Software Server, and Jira Software Data Center
versions:
o 8.13.22
o 8.20.10
o 8.22.4
o 9.0.0
o Jira Service Management Server and Data Center versions:
o 4.13.22
o 4.20.10
o 4.22.4
o 5.0.0
You can download the latest versions from the download pages for Jira Core,
Jira Software, or Jira Service Management.
Please note, these are the first versions that include the fix for
CVE-2022-26135. More current bug fix releases are available for the releases
listed above. Atlassian recommends upgrading to the most current bug fix
version.
Mitigation
Installing a fixed version of Jira or Jira Service Management is the surest way
to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or
Jira Service Management, then as a temporary workaround, you can manually
upgrade Mobile Plugin for Jira Data Center and Server
(com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified in this
section (or disable the plugin).
The following versions of the Mobile Plugin for Jira app contain a fix for this
issue:
o 3.1.5 (only compatible with Jira 8.13.x and JSM 4.13.x)
o 3.2.15 (only compatible with Jira 8.20.x - 8.22.x, only compatible with JSM
4.20.x - 4.22.x)
If you're either on Jira 8.13.x or JSM 4.13.x and have previously upgraded
beyond the default app version of 3.1.x, upgrading to 3.1.5 will effectively
roll back any bug-fixes and features introduced in later versions, including
JSM support.
How to upgrade the app to the fixed 3.1.5 version (from 3.2.x)
1. Download the fixed version (3.1.5) of the app (you'll save this as a JAR
file) from the Atlassian Marketplace
2. During a maintenance window
1. Shut down Jira (all nodes if you have Data Center installed)
2. Remove plugin.<value>.jira-mobile-rest-3.2.x.jar from:
1. Server: <Jira Home>/plugins/installed-plugins
2. Data Center: <Shared Home>/plugins/installed-plugins
3. Start Jira
4. Navigate to Admin > Manage Apps
5. Select Upload app
6. Select the JAR file you downloaded in Step 1
How to upgrade the app
Scenario A: User-installed apps
If you find the "Mobile Plugin for Jira" app located in the User-installed apps
section, you can just click Update to get the latest version.
Scenario B: System apps
If you find the "Mobile Plugin for Jira" app located in the System apps
section, follow these instructions to manually update the app (no restart
required!):
1. Download a fixed version of the app (you'll save this as a JAR file) from
the Atlassian Marketplace that is compatible with your Jira version
2. During a maintenance window:
1. Navigate to Admin > Manage Apps
2. Select Upload app
3. Select the JAR file you downloaded in Step 1
3. After the install, the new version will be displayed as a user-installed
app instead of a system app.
o The previous JAR file can remain in the directory <Jira Install>/
atlassian-jira/WEB-INF/atlassian-bundled-plugins without further action.
Support
If you did not receive an email for this advisory and you wish to receive such
emails in the future, go to https://my.atlassian.com/email and subscribe to
Alerts emails.
If you have questions or concerns regarding this advisory, please read our FAQ
for CVE-2022-26135. If you have further questions, please raise a support
request.
Last modified on Jul 01, 2022
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYr51OMkNZI30y1K9AQjjWg/9Fm4iAQasVPh2L9w+7rXJkw9tNCuAyrNX
qMJukN0YmIJ/PQ9ewY5Ttyf68ggxuVpA2LA015xXqtXZY9cNUWGVq7nXdtJXhuh/
K1D1WWwYIhxmYWcwaMcjDGQZyNRGO+lgN/XhXisdqCdQj+X8nGKsQabgrmmbOWhU
0ziSs53BVoTcDiaYPG+vZdEZjwL7RdLnluxms/cnslisplqtRvVtya9O6LuZKfLr
zHhGTdDCa3YmxTrtyz6httD8wyLZbTgUplUcBPjz/Y+b2RMgA5K/PEbJKs0I5Uhl
YUjR8oqYEr5tlzWdJ2+NPM9CIVxxRDzHx/uYMrvrc6OI+2QmLW3DIJzU6zHepSxu
xwYp74ldR1N8N2n/mWabefO57pH77LVo6dH2LikZ7mVu/5IAKx+GSFjoq3E1QTQ4
/2rRC1CFmHfKxuHNhOQvZ7fZE/UFMGH5Oyxi377F2nbZs7/8ymTJOCBofOena2/Y
GWuO822OMv3poh2fwUs1GwxpHEXmHqQH3wSPuWupJwjw0EcmvYLKYf0MyzA0vPu1
Y9OA99Rg3byYxQ61NybnWSN21GDhfVc1NsJWw9+ieMhaa4pJF35Bhr2ycWUIU1dd
oqrL2CXEk+1Xg8MoKD4LMnslv3yz2ZTi9S63F8h4DxbwbqDF8T6AHdTHQdeEQygT
/SmXiZst/2Q=
=5HaS
-----END PGP SIGNATURE-----