JIRA Security Advisory 2011-09-27
This advisory announces a number of security vulnerabilities that we have found in versions 4.2.x - 4.3.x of JIRA and fixed in version 4.4 of JIRA. You need to upgrade your existing JIRA installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com, in the 'Enterprise Hosting Project'. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
XSS Vulnerabilities in Labelling and Issue Linking
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own environment.
Risk Assessment
We have identified and fixed several cross-site scripting (XSS) vulnerabilities which may affect JIRA instances. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker needs to have a valid user account in order to exploit this vulnerability.
You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.
Vulnerability
Issue linking:
- The way issue summaries were rendered when displaying issue links allows arbitrary JavaScript execution.
- Versions of JIRA 4.2.x to 4.3.x prior to 4.4 are affected.
Labelling:
- Certain issue labels could be created containing JavaScript, which then could be rendered on other pages.
- Versions of JIRA 4.2.x to 4.3.x prior to 4.4 are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.
Fix
These vulnerabilities have been fixed in JIRA 4.4 and later versions.
For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.
If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading and not patching.
Patches
If you are running JIRA 4.3.x, you can apply the following patch to fix these vulnerabilities.
Vulnerability | Patch | Patch File Name | Instructions |
|---|---|---|---|
Linking and Labelling | Attached to issue JRA-24773 | JRA-24773-4.3.4-patch.zip |
If you are running JIRA 4.2.x, you can apply the following patch to fix these vulnerabilities.
Vulnerability | Patch | Patch File Name | Instructions |
|---|---|---|---|
Linking and Labelling | Attached to issue JRA-24773 | JRA-24773-4.2.4-patch.zip |
XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own environment.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect JIRA instances. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker does not need a valid user account in order to exploit this vulnerability
You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.
Vulnerability
JIRA administration interface (Bamboo plugin):
- There is a non-persistent XSS vector in the JIRA administration interface related to managing JIRA Bamboo settings.
- Versions of JIRA 4.3.x are affected.
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.
Fix
This vulnerability has been fixed in JIRA 4.4 and later versions.
For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.
If you cannot upgrade to the latest version of JIRA, you can upgrade only the Bamboo Plugin in your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading full JIRA instance instead of a single plugin.
Patches
If you are running JIRA 4.3.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. Both Bamboo Plugin 4.2.x and 4.3.x support JIRA 4.3.x, see the compatibility matrix at Plugin Exchange.
Vulnerability | Plugin | Plugin version | Instructions |
|---|---|---|---|
JIRA Bamboo Plugin | 4.2.1 or 4.3.3 | Updating a JIRA plugin |
If you are running JIRA 4.2.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. The vulnerability is not exploitable in JIRA 4.2.x, but we recommend upgrading the plugin anyway.
Vulnerability | Patch | Plugin version | Instructions |
|---|---|---|---|
JIRA Bamboo Plugin | 4.1.5 | Updating a JIRA plugin |
Acknowledgement
Our thanks to Dave B, who reported one of the vulnerabilities in this advisory. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.