Jira Data Center And Jira Service Management Data Center Security Advisory 2021-07-21
Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239
Summary | CVE-2020-36239 - Missing Authentication for Ehcache RMI |
---|---|
Advisory Release Date | 10 AM PDT (Pacific Time, UTC -7 hours) |
Product |
Note: Jira Data Center includes Jira Software Data Center, and Jira Core Data Center. Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected. Jira Cloud customers are not affected. Jira Service Management Cloud customers are not affected. |
Affected Versions | Jira Data Center, Jira Core Data Center, and Jira Software Data Center - ranges
Jira Service Management Data Center - ranges
Jira Data Center, Jira Core Data Center, and Jira Software Data Center
Jira Service Management Data Center
|
Fixed Versions - Jira Data Center, Jira Core Data Center, and Jira Software Data Center |
|
Fixed Versions - Jira Service Management Data Center |
|
CVE ID | CVE-2020-36239 |
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14). Affected versions of Jira Data Center and Jira Service Management Data Center can be found in the table above (see “Affected Versions”).
Customers who have downloaded and installed any versions listed in the Affected Versions section must upgrade their installations immediately to fix this vulnerability:
Jira Data Center
Jira Core Data Center
Jira Software Data Center
Jira Service Management Data Center
Atlassian Cloud is not affected by the issue described on this page.
Jira Cloud is not affected.
Jira Service Management Cloud is not affected.
Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected by the issue described on this page.
Single node Data Center instances without a cluster.properties file are not affected.
Customers who have upgraded Jira Data Center, Jira Core Data Center, Jira Software Data Center to versions
8.5.16
8.13.8
8.17.0
and/or Jira Service Management Data Center to versions
4.5.16
4.13.8
4.17.0
or higher are not affected.
Missing Authentication for Ehcache RMI - CVE-2020-36239
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.
[0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.
[1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.
[2] The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.
The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
From version 8.14.0 before 8.17.0
The versions of Jira Service Management Data Center affected by this vulnerability are:
From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
From version 4.14.0 before 4.17.0
This issue can be tracked at:
Acknowledgements
Credit for finding this vulnerability goes to Harrison Neal.
Fix
To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
8.5.16 that contains a fix for this issue
8.13.8 that contains a fix for this issue
8.17.0 that contains a fix for this issue
Jira Service Management Data Center versions:
4.5.16 that contains a fix for this issue
4.13.8 that contains a fix for this issue
4.17.0 that contains a fix for this issue
These versions can be downloaded at:
Jira Core Server: https://www.atlassian.com/software/jira/core/download
Jira Software Data Center: https://www.atlassian.com/software/jira/update
Jira Service Management Data Center: https://www.atlassian.com/software/jira/service-management/update
What You Need to Do
Atlassian recommends that you upgrade to the latest version. We also recommend restricting access to the Ehcache RMI ports as per these instructions & the information found below in the Mitigation section of this page. For a full description of the latest version, see the release notes for Jira Data Center here, Jira Software Data Center here, and Jira Service Management Data Center here. You can download the latest versions of Jira Data Center and Jira Service Management Data Center from the download center (Jira Data Center | Jira Service Management Data Center).
Upgrade Jira Center to version 8.17.0 or higher.
If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8.
Upgrade Jira Service Management Data Center to version 4.17.0 or higher.
If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8.
Mitigation
Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center to only cluster instances via the use of firewalls or similar technologies.
Data Center cluster nodes still need to be able to connect to other cluster nodes Ehcache ports.
In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.1 and above ports that need to be restricted to cluster instances are:
port 40001
port 40011
- If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use
In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.0 and below ports that need to be restricted to cluster instances are:
port 40001
port 40011
ports in the range 1024-65536 (in version 7.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports)
- If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use
In Jira Service Management Data Center versions 3.16.1 and above ports that need to be restricted to cluster instances are:
port 40001
port 40011
- If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use
In Jira Service Management Data Center versions 3.16.0 and below ports that need to be restricted are:
port 40001
port 40011
ports in the range 1024-65536 (in version 3.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports)
- If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |