Documentation for JIRA 6.3 EAP developer (EAP) releases only. Not using this? See below:
(JIRA 6.2.x documentation | JIRA OnDemand documentation | earlier versions of JIRA)

Skip to end of metadata
Go to start of metadata

This advisory announces a security vulnerability that has been found in all versions of JIRA prior to 4.2.2 and fixed in 4.2.2 and later versions. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

Parameter-Based Redirection Vulnerability

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment

Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site. This can be used for phishing.

You can read more about link manipulation attacks at Wikipedia, and about phishing at Fraud.org and other places on the web.

Vulnerability

Some actions in JIRA redirect users to a new page after the action has been completed. It was possible to hand-craft an URL that would redirect to a site outside the current instance of JIRA. Starting with JIRA 4.2.2 all such redirections are limited to pages inside the current instance of JIRA.

All versions of JIRA prior to 4.2.2 are affected.

Risk Mitigation

We recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

These issues have been fixed in JIRA 4.2.2 and later.

Patches

We have created a patch for the latest maintenance release 4.1.2 of JIRA for this vulnerability.

Icon

Please note that we have released a number of advisories about JIRA recently. We recommend that you review them and upgrade to the most recent release of the product or apply external security controls if you cannot. Most of the disclosed vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

We usually provide patches only for vulnerabilities of critical severity, as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

We recommend patching only when you can neither upgrade nor apply external security controls.

Supported JIRA Version

Issue Tracking

File Name

Downloadable Patch

4.1.2

JRA-23842

patch-JRA-23842-4.1.2-a.zip

Download

Instructions on how to apply the patch are included in the zip file

  • No labels

21 Comments

  1. Whats the plan to provide fix for the previous versions? I would be interested in 4.0.2

    1. We are currently patching only critical vulnerabilities, see Support. Speaking of your version, it is about a year old and we recommend you to upgrade it, there have been multiple advisories during the year, see Security Advisories.

      We are committed to improving product security and you can expect the number of vulnerabilities (and advisories) decreasing significantly this year.

      Current version of JIRA is 4.3 and we released a bugfix 4.2.2 for version 4.2.

  2. Anonymous

    My company still has a large number of users running IE6.0.  Since IE6.0 is not officially supported beyond 4.1.x what is your suggestion to solve this issue?

    Thank you.

    1. Does Microsoft still support IE6.0? If not, it seems unlikely that any other companies would.
      As a consultant, I usually point out to my customers how many other applications don't work in IE6 these days.

    2. Anonymous

      IE6 IS dead - which is not meant to start flaming, but to say IE6 reached End Of Life / End Of Support - even for enterprise customers. Start thinking about introducing something useful instead of IE6 - that includes not upgrading to IE > 6, but to evaluate other browsers on the market ;)

      Regards,

      Mario

    3. If you are running IE6, there are many more critical issues with the browser software that eclipse this particular vulnerability in JIRA; so if you are accepting the security exposure presented by the old IE, you probably do not worry about this vulnerability either.

  3. Anonymous

    What is about the versions before 3.13.x? Are there also solutions available other than "upgrade to 4.x"?

  4. e3k

    same case here is the only way to update to 4.x? we have only 3.13.x licenced...

    1. You can upgrade to any new version of JIRA as long as your license is current.

      http://www.atlassian.com/software/jira/licensing-changes-faq.jsp#10

      1. Anonymous

        But I don't want to upgrade to 4.x. Have you another solution???

        1. Anonymous

          I have the same question.  Can anyone at Atlassian provide an official response?  Thanks!

          1. Dear Anonymous,

            If you had evaluated how this vulnerability applies to your environment and arrived to a conclusion that fixing it in your instance is vital to your business, please contact customer support with the details.

            We will work on improving our policy if there is demand for change. It will help assessing the demand if requests come from identifiable customers that can be helped individually, and not from anonymous users.

      2. e3k

        Dear Vitaly,

        what do i do when my licence is not current. how do i fix this?

        E

        1. The recommended fix for an expired license is to renew the license.

          1. e3k

            Vitaly i see you are avoiding a straight answer to my question. I dont need to fix my expired licence. i want to fix that bug which is the subject to this article.

            How do i fix this bug w/o upgrading?

            1. The straight answer is that what you want is not possible.

              If you feel that you require a patch for this, and only this vulnerability (and not all others present in your version - please have look at the list of advisories on the left side of the page), please contact Atlassian support and ask for your query to be assigned to me, we will try to help you somehow. I am not part of the support team.

              Note that the advisory says -

              If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/

  5. Hi,

    We have several versions of Jira running from 3.9 to 3.13 (maintained) and we cannot upgrade it for the moment.

    Is there any action/configuration we can put in place to fix this problem ? maybe an apache rule ?

    Thanks in advance for your help

    Best regards

    Gael

  6. Anonymous

    Is a patch being planned for the 4.1.x version line?

  7. Anonymous

    Ditto.. We are not upgrading to 4.x from 3.13.3 until it has the ability to customize the dashboard.. Our training materials and customers would be too overwhelmed with the interface change.  Please provide a security fix for 3.x.. That branch hasn't been officially EOL'd correct?  If you still support it then you should provide security patches as well.

    Redhat wouldn't say "Oh you are on RHEL4? You need to upgrade to RHEL5"

  8. Anonymous

    Atlassian really needs to come up with a better solution to patching flaws. Constantly upgrading to the latest version to fix security holes is a drag on our IT resources.