Critical security vulnerability detected in Jira Data Center
Atlassian has published a security advisory for Jira Data Center (DC) including, Jira Software, Jira Core, and Jira Service Management.
- July 23, 2021
This blog post advisory discloses a critical severity security vulnerability introduced in Jira Data Center 6.3.0, Jira Core DC, Jira Software DC, and Jira Service Management DC (known as Jira Service Desk before version 4.14). Scroll down for details on the affected versions.
Atlassian rates the severity level of this threat critical. Jira Data Center, Jira Core, Jira Software, and Jira Service Management exposed an Ehcache RMI network service. Due to a missing authentication vulnerability, attackers able to connect to the service on port 40001 and potentially 40011[0][1][2], can execute arbitrary code of their choosing. Atlassian strongly advises restricting access to the Ehcache ports to only Data Center instances, with fixed versions of Jira requiring a shared secret for access to the Ehcache service.
If you’ve downloaded and installed any of the versions listed in this post, you must upgrade your installations without delay.
Atlassian Cloud, Data Center, and Server customers
Atlassian Cloud users need not panic as Cloud is not affected by this vulnerability. Non-Data Center instances of Jira Server (Core and Software), and Jira Service Management are also unaffected.
If you’ve upgraded Jira DC, Jira Core DC, or Jira Software DC to the following versions:
8.5.16
8.13.8
8.17.0
and/or Jira Service Management Data Center to:
4.5.16
4.13.8
4.17.0
or higher, this advisory does not apply to you.
Versions of Jira DC, Jira Core DC, and Jira Software DC affected by this vulnerability are:
From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
From version 8.14.0 before 8.17.0
The versions of Jira Service Management DC affected by this vulnerability are:
From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
From version 4.14.0 before 4.17.0
Versions of affected products:
Jira DC, Jira Core DC, and Jira Software DC:
6.3.0 <= version < 8.5.16
8.6.0 <= version < 8.13.8
8.14.0 <= version < 8.17.0
Jira Service Management DC:
2.0.2 <= version < 4.5.16
4.6.0 <= version < 4.13.8
4.14.0 <= version < 4.17.0
Jira DC, Jira Core DC, and Jira Software DC:
All 6.3.x, 6.4.x versions
All 7.0.x, 7.1.x , 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x, 7.11.x, 7.12.x, 7.13.x versions
All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x versions
All 8.5.x versions before 8.5.16
All 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.10.x, 8.11.x, 8.12.x versions
All 8.13.x versions before 8.13.8
All 8.14.x, 8.15.x, 8.16.x versions
Jira Service Management DC:
All 2.x.x versions after 2.0.2
All 3.x.x versions
All 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x versions
All 4.5.x versions before 4.5.16
All 4.6.x, 4.7.x, 4.8.x, 4.9.x, 4.10.x, 4.11.x, 4.12.x versions
All 4.13.x versions before 4.13.8
All 4.14.x, 4.15.x, 4.16.x versions
Jira DC, Jira Core DC, Jira Software DC, and Jira Service Management DC fixed versions:
Version 8.5.16 for 8.5.x LTS
Version 8.13.8 for 8.13.x LTS
Version 8.17.0
Version 4.5.16 for 4.5.x LTS
Version 4.13.8 for 4.13.x LTS
Version 4.17.0
What should I do?
Atlassian recommends taking the following actions:
- Upgrade Jira Data Center to version 8.17.0 or higher.
- If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8.
- Upgrade Jira Service Management Data Center to version 4.17.0 or higher.
- If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8.
Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center to only cluster instances via the use of firewalls or similar.
Note: Data Center cluster nodes still need to be able to connect to other cluster nodes Ehcache ports.
In Jira DC, Jira Core DC, and Jira Software DC versions 7.13.1 and above, ports that need to be restricted to cluster instances are:
- Port 40001.
- Port 40011.
- If you’ve changed from the default Ehcache RMI ports after installing Jira DC, then you need to restrict access to cluster instances to the specific ports that you’ve configured Ehcache RMI to use.
In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.0 and below, ports that need to be restricted to cluster instances include:
- Port 40001.
- Port 40011.
- For ports in the range 1024-65536 (in version 7.3.1 and above, there is a workaround).
- If you have changed from the default Ehcache RMI ports after installing Jira Data Center, you need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use.
In Jira Service Management Data Center versions 3.16.1 and above, ports that need to be restricted to cluster instances are:
- Port 40001.
- Port 40011.
- If you have changed from using the default Ehcache RMI port due to installing Jira DC, you must restrict access to cluster instances to the specific ports you’ve configured Ehcache RMI to use.
In Jira Service Management Data Center versions 3.16.0 and below, ports that need to be restricted are:
- Port 40001.
- Port 40011.
- Ports in the range 1024-65536 (in version 3.3.1 there is a workaround to avoid restricting access to these ports).
- If you’ve changed from the default Ehcache RMI ports after installing Jira DC, you need to restrict access to cluster instances to the specific ports that you’ve configured Ehcache RMI to use.
Mehrnaz Karimi
Related Articles
Keep up to date with the latest Clearvision blog.
Our blog posts cover a wide range of topics from the latest software news to the latest in the Atlassian world.
Search through our white papers and guides.
We have a wealth of expertise to share with you in our white papers and guides.
Watch our webinars.
Watch our webinars on everything from JSM, JWM, Atlassian tools and more.
