JIRA Security Advisory 2011-09-27

This advisory announces a number of security vulnerabilities that we have found in versions 4.2.x - 4.3.x of JIRA and fixed in version 4.4 of JIRA. You need to upgrade your existing JIRA installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com, in the 'Enterprise Hosting Project'. JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

XSS Vulnerabilities in Labelling and Issue Linking

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own environment.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities which may affect JIRA instances.  XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker needs to have a valid user account in order to exploit this vulnerability.

You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.

Vulnerability

Issue linking:

  • The way issue summaries were rendered when displaying issue links allows arbitrary JavaScript execution.
  • Versions of JIRA  4.2.x to 4.3.x prior to 4.4 are affected.

Labelling:

  • Certain issue labels could be created containing JavaScript, which then could be rendered on other pages.
  • Versions of JIRA  4.2.x to 4.3.x prior to 4.4 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

These vulnerabilities have been fixed in JIRA 4.4 and later versions.

For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading and not patching.

Patches

If you are running JIRA 4.3.x, you can apply the following patch to fix these vulnerabilities.

Vulnerability

Patch

Patch File NameInstructions

Linking and Labelling

Attached to issue JRA-24773

JRA-24773-4.3.4-patch.zip

JRA-24773-4.3.4-patch-instructions.txt

If you are running JIRA 4.2.x, you can apply the following patch to fix these vulnerabilities.

Vulnerability

Patch

Patch File NameInstructions

Linking and Labelling

Attached to issue JRA-24773

JRA-24773-4.2.4-patch.zip

JRA-24773-4.2.4-patch-instructions.txt

 

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own environment. 

Risk Assessment

We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect JIRA instances.  XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker does not need a valid user account in order to exploit this vulnerability

 You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.

Vulnerability

JIRA administration interface (Bamboo plugin):

  • There is a non-persistent XSS vector in the JIRA administration interface related to managing JIRA Bamboo settings.
  • Versions of JIRA 4.3.x are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This vulnerability has been fixed in JIRA 4.4 and later versions.

For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can upgrade only the Bamboo Plugin in your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading full JIRA instance instead of a single plugin.

Patches

If you are running JIRA 4.3.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. Both Bamboo Plugin 4.2.x and 4.3.x support JIRA 4.3.x, see the compatibility matrix at Plugin Exchange.

Vulnerability

Plugin

Plugin versionInstructions

JIRA Bamboo Plugin

Plugin Exchange

4.2.1 or

4.3.3

Updating a JIRA plugin

 If you are running JIRA 4.2.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. The vulnerability is not exploitable in JIRA 4.2.x, but we recommend upgrading the plugin anyway.

Vulnerability

Patch

Plugin versionInstructions

JIRA Bamboo Plugin

Plugin Exchange

4.1.5Updating a JIRA plugin

 

Acknowledgement

Our thanks to Dave B, who reported one of the vulnerabilities in this advisory. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Last modified on Oct 12, 2011

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.