Atlassian advisory: Critical severity affecting Jira Service Desk & Data Center Revealed

Atlassian announced a critical severity security advisory affecting both Jira Service Desk Server and Data Center.

Breaking News

Jira Service Desk Server and Data Center - Authorisation Bypass

CVE-2019-15003 – Authorization bypass allows information disclosure & CVE-2019-15004 – URL path traversal allows information disclosure.

Jira Service Desk Server and Jira Service Desk Data Center.

Jira Service Desk Cloud.

Jira Core or Jira Software on instances where Jira Service Desk is not installed.

version < 3.9.17

3.10.0 <= version < 3.16.10

4.0.0 <= version < 4.2.6

4.3.0 <= version < 4.3.5

4.4.0 <= version < 4.4.3

4.5.0 <= version < 4.5.1

3.9.17

 

3.16.10

 

4.2. 6

 

4.3. 5

 

4.4. 3

 

4.5.1 (Latest Enterprise release)

CVE-2019-15003, CVE-2019-15004

Vulnerability Summary

This advisory discloses two critical severity security vulnerabilities (CVE-2019-15003 and CVE-2019-15004) in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1 are affected by these vulnerabilities.

Atlassian Cloud instances have been upgraded to a version of Jira Service Desk which does not have the issue described in this article.

Customers who’ve upgraded Jira Service Desk Server & Jira Service Desk Data Center to versions 3.9.17, 3.16.10, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.

If you’ve downloaded and installed any of the following Jira Service Desk Server or Jira Service Desk Data Center versions, you’ll need to perform an upgrade immediately to fix the vulnerabilities:

All versions before 3.9.17

 

3.10.x

3.11.x

3.12.x

3.13.x

3.14.x

3.15.x

3.16.x before 3.16.10 (the fixed version for 3.16.x)

4.0.x

4.1.x

4.2.x before 4.2.6 (the fixed version for 4.2.x)

4.3.x before 4.3.5 (the fixed version for 4.3.x)

4.4.x before 4.4.3 (the fixed version for 4.4.x)

4.5.x before 4.5.1 (the fixed version for 4.5.x)

Authorisation bypass means information disclosure - CVE-2019-15003

Atlassian deemed the severity level of this vulnerability critical, in accordance with the severity level scale.

However, you should evaluate applicability to your own IT environment.

Description

By design, Jira Service Desk gives customer portal users permission to raise requests and view issues, allowing users to interact with the customer portal without having direct access into Jira. Such restrictions can be bypassed by an attacker with portal access who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within Jira projects contained in the vulnerable instance, inclusive of Jira Service Desk projects, Jira Core projects, and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

Atlassian does not recommend changing the permission, instead:

Mitigation

If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

Block requests to Jira containing .. at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing .. to a safe URL

Add the following to the section of

[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    

        ^/.*\.\..*%%EDITORCONTENT%%lt;/from>

        /

    

After saving the above, restart Jira.

Once Jira Service Desk has been upgraded, this mitigation can be removed.

URL path traversal allows information disclosure - CVE-2019-15004

Atlassian deemed the severity level of this vulnerability critical, in accordance with the severity level scale.

However, you should evaluate applicability to your own IT environment.

Description

By design, Jira Service Desk gives customer portal users permission to raise requests and view issues, allowing users to interact with the customer portal without having direct access into Jira. Such restrictions can be bypassed by an attacker with portal access who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within Jira projects contained in the vulnerable instance, inclusive of Jira Service Desk projects, Jira Core projects, and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

Atlassian does not recommend changing the permission, instead:

Mitigation

If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

Block requests to Jira containing .. at the reverse proxy or load balance level, or alternatively, configure Jira to redirect requests containing .. to a safe URL

Add the following to the section of

[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    

        ^/.*\.\..*%%EDITORCONTENT%%lt;/from>

        /

    

After saving the above, restart Jira.

Once Jira Service Desk has been upgraded, this mitigation can be removed.

Using JSD Version: Upgrade To:
4.5.x 4.5.1
4.4.x 4.4.3
4.3.x 4.3.5
4.2.x 4.2.6
4.1.x 4.5.1 (Recommended)
4.0.x 4.5.1 (Recommended)
3.16.x 3.16.10
3.9.x 3.16.10

3.9.17

Older versions (before 3.9.x) Current versions:

4.4.1

4.3.4

Enterprise releases:

4.5.1 (Recommended)

3.16.10

3.9.17

Upgrading Jira Service Desk

Atlassian recommends upgrading to the latest version.

Bear in mind, an upgrade of JSD will require an upgrade of Jira Core. Please refer to the compatibility matrix below to find the equivalent version for your JSD version.

Atlasssian expert resources

Visit our blog for expert news and articles from the Atlassian world. On our resources page you will find recorded webinars, white papers, podcasts, videos and more.

The Software Blog

Read our blog for articles offering best practice advice written by Atlassian experts, as well as the latest news concerning your software.

Software White Papers and Guides

Dive deep into Atlassian software with our white papers and guides on individual tools, partner products, services, and best practices, written by the experts.

Expert Webinars

All of our webinars are pre-recorded and available to watch on-demand. Enjoy everything from partner features to application demos and updates from Atlassian experts.

Subscribe to our newsletter

Atlassian solutions that free your teams

It teams