Atlassian advisory: Critical severity affecting Jira Service Desk & Data Center Revealed
Atlassian announced a critical severity security advisory affecting both Jira Service Desk Server and Data Center.
- November 6, 2019
Jira Service Desk Server and Data Center - Authorisation Bypass
CVE-2019-15003 – Authorization bypass allows information disclosure & CVE-2019-15004 – URL path traversal allows information disclosure.
Jira Service Desk Server and Jira Service Desk Data Center.
Jira Service Desk Cloud.
Jira Core or Jira Software on instances where Jira Service Desk is not installed.
version < 3.9.17
3.10.0 <= version < 3.16.10
4.0.0 <= version < 4.2.6
4.3.0 <= version < 4.3.5
4.4.0 <= version < 4.4.3
4.5.0 <= version < 4.5.1
3.9.17
3.16.10
4.2. 6
4.3. 5
4.4. 3
4.5.1 (Latest Enterprise release)
CVE-2019-15003, CVE-2019-15004
Vulnerability Summary
This advisory discloses two critical severity security vulnerabilities (CVE-2019-15003 and CVE-2019-15004) in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1 are affected by these vulnerabilities.
Atlassian Cloud instances have been upgraded to a version of Jira Service Desk which does not have the issue described in this article.
Customers who’ve upgraded Jira Service Desk Server & Jira Service Desk Data Center to versions 3.9.17, 3.16.10, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.
If you’ve downloaded and installed any of the following Jira Service Desk Server or Jira Service Desk Data Center versions, you’ll need to perform an upgrade immediately to fix the vulnerabilities:
All versions before 3.9.17
3.10.x
3.11.x
3.12.x
3.13.x
3.14.x
3.15.x
3.16.x before 3.16.10 (the fixed version for 3.16.x)
4.0.x
4.1.x
4.2.x before 4.2.6 (the fixed version for 4.2.x)
4.3.x before 4.3.5 (the fixed version for 4.3.x)
4.4.x before 4.4.3 (the fixed version for 4.4.x)
4.5.x before 4.5.1 (the fixed version for 4.5.x)
Authorisation bypass means information disclosure - CVE-2019-15003
Atlassian deemed the severity level of this vulnerability critical, in accordance with the severity level scale.
However, you should evaluate applicability to your own IT environment.
Description
By design, Jira Service Desk gives customer portal users permission to raise requests and view issues, allowing users to interact with the customer portal without having direct access into Jira. Such restrictions can be bypassed by an attacker with portal access who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within Jira projects contained in the vulnerable instance, inclusive of Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.
Atlassian does not recommend changing the permission, instead:
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:
Block requests to Jira containing .. at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing .. to a safe URL
Add the following to the section of
[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:
^/.*\.\..*%%EDITORCONTENT%%lt;/from>
/
After saving the above, restart Jira.
Once Jira Service Desk has been upgraded, this mitigation can be removed.
URL path traversal allows information disclosure - CVE-2019-15004
Atlassian deemed the severity level of this vulnerability critical, in accordance with the severity level scale.
However, you should evaluate applicability to your own IT environment.
Description
By design, Jira Service Desk gives customer portal users permission to raise requests and view issues, allowing users to interact with the customer portal without having direct access into Jira. Such restrictions can be bypassed by an attacker with portal access who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within Jira projects contained in the vulnerable instance, inclusive of Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.
Atlassian does not recommend changing the permission, instead:
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:
Block requests to Jira containing .. at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing .. to a safe URL
Add the following to the section of
[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:
^/.*\.\..*%%EDITORCONTENT%%lt;/from>
/
After saving the above, restart Jira.
Once Jira Service Desk has been upgraded, this mitigation can be removed.
Upgrading Jira Service Desk
Atlassian recommends upgrading to the latest version.
Bear in mind, an upgrade of JSD will require an upgrade of Jira Core. Please refer to the compatibility matrix below to find the equivalent version for your JSD version.
clearvisionwebmaster
Atlasssian expert resources
Visit our blog for expert news and articles from the Atlassian world. On our resources page you will find recorded webinars, white papers, podcasts, videos and more.
The Software Blog
Read our blog for articles offering best practice advice written by Atlassian experts, as well as the latest news concerning your software.
Software White Papers and Guides
Dive deep into Atlassian software with our white papers and guides on individual tools, partner products, services, and best practices, written by the experts.
Expert Webinars
All of our webinars are pre-recorded and available to watch on-demand. Enjoy everything from partner features to application demos and updates from Atlassian experts.
