Atlassian advisory: Critical severity affecting Jira Service Desk & Data Center Revealed

Atlassian advisory: Critical severity affecting Jira Service Desk & Data Center Revealed

On Wednesday 6th November, Atlassian announced a security advisory affecting JSD Server and Data Center, severity level: Critical.

Jira Service Desk Server and Data Center - Authorisation Bypass

CVE-2019-15003 – Authorization bypass allows information disclosure & CVE-2019-15004 – URL path traversal allows information disclosure.

Jira Service Desk Server and Jira Service Desk Data Center.

Jira Service Desk Cloud.

Jira Core or Jira Software on instances where Jira Service Desk is not installed.

version < 3.9.17

3.10.0 <= version < 3.16.10

4.0.0 <= version < 4.2.6

4.3.0 <= version < 4.3.5

4.4.0 <= version < 4.4.3

4.5.0 <= version < 4.5.1

3.9.17

 

3.16.10

 

4.2. 6

 

4.3. 5

 

4.4. 3

 

4.5.1 (Latest Enterprise release)

CVE-2019-15003, CVE-2019-15004

Vulnerability Summary

This advisory discloses two critical severity security vulnerabilities (CVE-2019-15003 and CVE-2019-15004) in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1 are affected by these vulnerabilities.

Atlassian Cloud instances have been upgraded to a version of Jira Service Desk which does not have the issue described in this article.

Customers who’ve upgraded Jira Service Desk Server & Jira Service Desk Data Center to versions 3.9.17, 3.16.10, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.

If you’ve downloaded and installed any of the following Jira Service Desk Server or Jira Service Desk Data Center versions, you’ll need to perform an upgrade immediately to fix the vulnerabilities:

All versions before 3.9.17

 

3.10.x

3.11.x

3.12.x

3.13.x

3.14.x

3.15.x

3.16.x before 3.16.10 (the fixed version for 3.16.x)

4.0.x

4.1.x

4.2.x before 4.2.6 (the fixed version for 4.2.x)

4.3.x before 4.3.5 (the fixed version for 4.3.x)

4.4.x before 4.4.3 (the fixed version for 4.4.x)

4.5.x before 4.5.1 (the fixed version for 4.5.x)

Authorisation bypass means information disclosure - CVE-2019-15003

Atlassian rates the severity level of this vulnerability critical, in accordance with the severity level scale.

Note: Atlassian encourage customers to evaluate applicability according to individual IT environments.

JSD grants customer portal users permission to raise requests and view issues, so they can interact with the customer portal without having direct access to Jira. However, these restrictions can be bypassed by any attacker with portal access who exploits an authorisation bypass. By doing so an attacker can see all issues within Jira projects contained in the vulnerable instance, including Jira Service Desk projects, Jira Core projects, and Jira Software projects.

Note: All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

Did you know? Attackers can grant themselves access to Jira Service Desk portals that have the ‘anyone can email the service desk or raise a request in the portal’ setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, but to do the following instead:

Mitigation

Those unable to upgrade JSD right away (or who are in the process of migrating to Jira Cloud), can do the following as a temporary workaround:

1. Block requests to Jira containing  jspa, jspx, jsp at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing jspa, jspx, jsp to a safe URL.

2. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

<rule>

    <from>/servicedesk/.*\.jsp.*</from>

    <to type=”temporary-redirect”>/</to>

</rule>

3. After saving the changes above, restart Jira

Note: Once Jira Service Desk has been upgraded, the mitigation can be removed.

URL path traversal allows information disclosure - CVE-2019-15004

Atlassian deemed the severity level of this vulnerability critical, in accordance with the severity level scale.

However you should evaluate applicability to your own IT environment.

Description

By design, Jira Service Desk gives customer portal users permission to raise requests and view issues, allowing users to interact with the customer portal without having direct access into Jira. Such restrictions can be bypassed by any attacker with portal access who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within Jira projects contained in the vulnerable instance, inclusive of Jira Service Desk projects, Jira Core projects, and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

Atlassian do not recommend changing the permission, instead:

Mitigation

If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

Block requests to Jira containing .. at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing .. to a safe URL

Add the following to the <urlewrite> section of

[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>

        <from>^/.*\.\..*$</from>

        <to type=”temporary-redirect”>/</to>

    </rule>

After saving the above, restart Jira.

Once Jira Service Desk has been upgraded, this mitigation can be removed.

Upgrading Jira Service Desk

Atlassian recommend upgrading to the latest version.

Bare in mind, an upgrade of JSD will require an upgrade of Jira Core. Please refer to the compatibility matrix below to find the equivalent version for your JSD version.

Using JSD Version: Upgrade To:
4.5.x 4.5.1
4.4.x 4.4.3
4.3.x 4.3.5
4.2.x 4.2.6
4.1.x 4.5.1 (Recommended)
4.0.x 4.5.1 (Recommended)
3.16.x 3.16.10
3.9.x 3.16.10

3.9.17

Older versions (before 3.9.x) Current versions:

4.4.1

4.3.4

Enterprise releases:

4.5.1 (Recommended)

3.16.10

3.9.17

We’ve helped hundreds of organisations upgrade their mission-critical applications to the latest version and we’d love to help yours! Get in touch now.

Share on facebook
Share
Share on twitter
Share
Share on linkedin
Share

Reader Interactions