JIRA Security Advisory 2010-04-16

Several security vulnerabilities have been exposed on JIRA. Please refer to this document before proceeding to determine if your system has been compromised.

In this advisory:

Privilege Escalation Vulnerabilities

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several privilege escalation vulnerabilities, which may affect JIRA instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA.

An attacker, who has gained administrator access to a JIRA instance, could set the attachment, index or backup paths to a location within the JIRA web application directory. Once this has been done, the attacker can upload malicious code that can execute in the context of the user running the application server in which JIRA is deployed. The attacker could potentially modify JIRA's files and capture user credentials. If you have followed standard guidelines for hardening your application servers, then your instance should be less susceptible to this vulnerability.

(info) The JIRA web application directory is either the atlassian-jira subdirectory (for JIRA Standalone installations) or the webapps subdirectory for JIRA WAR installations on Tomcat. For other application servers, please consult that application server's relevant documentation for discovering the web application directory.

Risk Mitigation

We strongly recommend either upgrading or patching your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Note: If you are an Atlassian JIRA Studio or Hosted customer, we have assessed that your system is secure and implemented additional protections for it.

We also strongly recommend that you secure your JIRA instance by following these instructions, even if you are not in a position to apply the patches immediately.

Vulnerability

All versions of JIRA are affected by these privilege escalation vulnerabilities.

As a consequence of these security fixes, the following changes to JIRA's behaviour have occurred.

  • JIRA now recognises a new variable called (jira.paths.set.allowed) in the jira-application.properties file that collectively enables or disables the following capabilities through the JIRA user interface:
    • Setting the attachments directory
    • Setting the indexing directory
    • Setting the backup directory for the backup service
    • Restoring XML data from a JIRA XML backup
    • Setting the directory in the "Create issues from local files" service
    • Viewing the list of administrators through the "Contact Administrators" link in the footer.

      (info) On initial application of this patch, the jira.paths.set.allowed property will not be present in this file and all settings above will be disabled by default. We recommend that this property be absent from your jira-application.properties file or if it is present, set its value to false.
  • JIRA now recognises another new variable called (jira.paths.safe.backup.path) in the jira-application.properties file which specifies a safe path for XML backup. This property only applies to the 'Backup Data to XML' function and not the scheduled backup service. If the property is not present, 'Backup Data to XML' will not be allowed. The file name specified in the user interface will be appended to the safe path and used to determine the destination of the backup file. Please ensure that the safe path is separate from your web application directory.

    (info) On initial application of this patch, the jira.paths.safe.backup.path property will not be present in this file.
  • System logs and customer data from generated support requests have been removed. The automatically generated support request sent to Atlassian will no longer include system logs and the XML backup.

Fix

These issues have been fixed in JIRA 4.1.1 and later.

These fixes are also provided as a patch for JIRA 4.1 and previous versions of JIRA. See Available Patches (below) for the complete list of available patches.

These patches are also available from JIRA issue JRA-21004. These patches also address the XSS vulnerabilities described below.

In addition to patching your instance, we strongly recommend that you also review these instructions on securing your JIRA instance (and any other web application).

XSS Vulnerabilities in JIRA

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities in JIRA, which may affect JIRA instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA.

  • The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
  • The attacker's text and script might be displayed to other people viewing a JIRA page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

We strongly recommend either upgrading or patching your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

We also strongly recommend that you secure your JIRA instance by following these instructions, even if you are not in a position to apply the patches immediately.

Vulnerability

All versions of JIRA are affected by these XSS vulnerabilities.

An attacker can inject their own JavaScript into the JIRA components listed in the table below. Each of the actions is invoked when a user performs a specific function in JIRA, such as clicking a link or a button. The actions can also be invoked by simply entering the URL into the browser address bar. The rogue JavaScript will be executed when a user invokes the URL.

JIRA page

Routes of XSS attack

Colour Picker
(colorpicker.jsp)

XSS code injection into the 'element' or 'defaultColor' URL parameters.

User Picker
(userpicker.jsp)

XSS code injection into the 'formName' or 'element' URL parameters. The full name field is another route, in which XSS scripts in this field can be executed when a user views its field content via the User Picker.

Group Picker
(grouppicker.jsp)

XSS code injection into the 'formName' or 'element' URL parameter. The group name field is another route, in which code in this field can be executed when a user views its field content via the Group Picker.

Announcement Banner Preview

If the URL parameter 'announcement_preview_banner_st' is appended to the URL for most pages in JIRA, it is a potential route for exploitation by XSS scripts.

Support-related JSP pages

The following JSP pages can be exploited by XSS scripts. We have disabled these pages in JIRA and they are no longer available.

  • .../secure/admin/groupnames.jsp
  • .../secure/admin/indexbrowser.jsp
  • .../secure/admin/debug/classpath-debug.jsp
  • .../secure/admin/viewdocument.jsp
  • .../secure/admin/cleancommentspam.jsp

runportleterror.jsp

XSS code injection into the 'portletKey' URL parameter.

issuelinksmall.jsp

XSS scripts appended to the end of the URL.

screenshot-redirecter.jsp

XSS code injection into the 'afterURL' URL parameter.

500page.jsp

XSS code injection into the 'Referrer' HTTP request header.

Fix

These issues have been fixed in JIRA 4.1.1 and later.

These fixes are also provided as a patch for JIRA 4.1 and previous versions of JIRA. See Available Patches (below) for the complete list of available patches.

These patches are also available in JIRA issue JRA-21004. The patches also address the privilege escalation vulnerabilities described above.

In addition to patching your instance, we strongly recommend that you also review these instructions on securing your JIRA instance (and any other web application).

Available Patches

The available patches address both the Privilege Escalation and XSS Vulnerabilities. They can be obtained from JRA-21004, or directly downloaded from the table below. To install the patch, please follow the instructions in the patch file.

The patches below override the patches previously available at JRA-20994 and JRA-20995. We have incorporated both patches into one. Please ensure that you install this unified patch regardless of whether you have previously applied patches at JRA-20994 or JRA-20995 as it contains additional improvements. You do not need to uninstall previous patches.

Several security vulnerabilities have been exposed on JIRA. Please refer to this page to determine if your system has been compromised.

Last modified on Sep 15, 2010

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.