JIRA Security Advisory 2008-02-21

Added by Andrew Lui, last edited by Andreas Knecht on Feb 20, 2008  (view change)
JIRA Documentation

Index

In this advisory:

Security vulnerabilities

XSS vulnerability in Issue Actions

Severity

Atlassian rates this vulnerability as HIGH, according to the scale published by the SANS Institute. The scale allows us to rank a vulnerability as critical, high, moderate or low, as described in the SANS vulnerability analysis.

Risk Assessment

We have identified and fixed a security flaw which may affect JIRA instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in JIRA's 'Saved Filter', 'Filter Statistics', 'Project Statistics' and '2D Filter Statistics' portlets. This potentially allows a malicious user (hacker) to create a shared filter with special JavaScript in the name, and then create a link to run the vulnerable portlets using the shared filter. If this link was sent to a user and clicked by the user, the special JavaScript would be executed in the user's session.

  • The hacker might take advantage of this flaw to steal other users' session cookies or other credentials, by sending the credentials back to the hacker's own web server.
  • The hacker could also gain control over the underlying system, based on the privileges of the user whose session cookie has been stolen, by using the jelly runner.
  • The hacker's text and script might be displayed to other people viewing the JIRA Dashboard. This is potentially damaging to your company's reputation.

Atlassian recommends that you upgrade to JIRA 3.12.2, or download the patch for JIRA 3.12.1, 3.11 or 3.10.2, to fix the vulnerabilities described below.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your JIRA system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict JIRA access to trusted groups only.

Vulnerability

The 'Saved Filter', 'Filter Statistics', 'Project Statistics' and '2D Filter Statistics' portlets are affected. The name of a shared filter is not HTML-escaped when the the portlet is viewed.

Fix

The fix is to escape the name of a shared filter when run by the 'Saved Filter', 'Filter Statistics', 'Project Statistics' and '2D Filter Statistics' portlets, so that no content in the filter name is interpreted as HTML or CSS.

This issue has been fixed in JIRA 3.12.2. The fix is also provided as a patch for JIRA 3.12.1, 3.11 and 3.10.2. For more information, please see JRA-14277 and JRA-14357.


Available JIRA Patches

JIRA 3.12.1

The patches for JIRA 3.12.1 are available in the file jira_3_12_1_xss_patch.zip

Patch Zip File jira_3_12_1_xss_patch.zip
Patch Instructions jira_3_12_1_xss_patch_instructions.txt
Patch CheckSum jira_3_12_1_xss_patch.zip.md5

JIRA 3.12.1 can also be fixed by upgrading to JIRA 3.12.2

JIRA 3.11

The patches for JIRA 3.11 are available in the file jira_3_11_xss_patch.zip

Patch Zip File jira_3_11_xss_patch.zip
Patch Instructions jira_3_11_xss_patch_instructions.txt
Patch CheckSum jira_3_11_xss_patch.zip.md5

JIRA 3.10.2

The patches for JIRA 3.10 are available in the file jira_3_10_2_xss_patch.zip

Patch Zip File jira_3_10_2_xss_patch.zip
Patch Instructions jira_3_10_2_xss_patch_instructions.txt
Patch CheckSum jira_3_10_2_xss_patch.zip.md5

Please let us know what you think of the format of this security advisory and the information we have provided.

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Comments (2)

 

  1. Feb 25, 2008

    John Orr says:

    The zip files for older versions unzip into \atlassianjira\WEBINF\templates\plug...

    The zip files for older versions unzip into

    \atlassian-jira\WEB-INF\templates\plugins\jira\portlets

    but the existing files are in

    \atlassian-jira\WEB-INFclasses\templates\plugins\jira\portlets

    I'm guessing the files in the patch actually need to overwrite the files in the WEB-INF\classes\... directory? 

    1. Feb 25, 2008

      Andreas Knecht says:

      Hi John, Yes, you're absolutely correct. Sorry for stuffing this up. I've fixed...

      Hi John,

      Yes, you're absolutely correct. Sorry for stuffing this up. I've fixed up the zip files on this page now, such that they'll unzip the relevant files to the correct directory.

      Cheers,
      Andreas