Atlassian Jira Security Alert

Atlassian have recently discovered a security vulnerability in JIRA that has a severity level of high (not critical).

To fix this vulnerability, you should follow the instructions in the security advisory below.

Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com.

JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security.

For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to (http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2011-02-21).

If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian security policies (http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at http://support.atlassian.com/.

Severity -- Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues (http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues). The scale allows us to rank a vulnerability as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment -- Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site. This can be used for phishing.

You can read more about link manipulation attacks at Wikipedia (https://secure.wikimedia.org/wikipedia/en/wiki/Phishing#Link_manipulation), and about phishing at Fraud.org (http://www.fraud.org/tips/internet/phishing.htm) and other places on the web.

Vulnerability -- Some actions in JIRA redirect users to a new page after the action has been completed. It was possible to hand-craft an URL that would redirect to a site outside the current instance of JIRA. Starting with JIRA 4.2.2 all such redirections are limited to pages inside the current instance of JIRA.

All versions of JIRA prior to 4.2.2 are affected.

Risk Mitigation -- We recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix -- These issues have been fixed in JIRA 4.2.2 (http://confluence.atlassian.com/display/JIRA/JIRA+4.2.2+Release+Notes) and later. The latest version of JIRA is currently 4.2.4.

Clearvision is an official Atlassian partner and provide Atlassian Support to customers throughout the world. Clearvision specialise in Atlassian GreenHopper Training , Atlassian GreenHopper User Support, Atlassian Products such as our Subversion JIRA integration (JIRA2SVN) and Atlassian GreenHopper Consulting. Clearvision work with all Atlassian products including Atlassian JIRA, Atlassian Confluence, Atlassian Crucible, Atlassian Crowd, Atlassian FishEye, Atlassian Bamboo and Atlassian GreenHopper.