Documentation for JIRA 6.3 EAP developer (EAP) releases only. Not using this? See below:
(JIRA 6.2.x documentation | JIRA OnDemand documentation | earlier versions of JIRA)

Skip to end of metadata
Go to start of metadata

This advisory announces a number of security vulnerabilities that we have found in versions 4.2.x - 4.3.x of JIRA and fixed in version 4.4 of JIRA. You need to upgrade your existing JIRA installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com, in the 'Enterprise Hosting Project'. JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

XSS Vulnerabilities in Labelling and Issue Linking

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own environment.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities which may affect JIRA instances.  XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker needs to have a valid user account in order to exploit this vulnerability.

You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.

Vulnerability

Issue linking:

  • The way issue summaries were rendered when displaying issue links allows arbitrary JavaScript execution.
  • Versions of JIRA  4.2.x to 4.3.x prior to 4.4 are affected.

Labelling:

  • Certain issue labels could be created containing JavaScript, which then could be rendered on other pages.
  • Versions of JIRA  4.2.x to 4.3.x prior to 4.4 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

These vulnerabilities have been fixed in JIRA 4.4 and later versions.

For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading and not patching.

Patches

If you are running JIRA 4.3.x, you can apply the following patch to fix these vulnerabilities.

Vulnerability

Patch

Patch File NameInstructions

Linking and Labelling

Attached to issue JRA-24773

JRA-24773-4.3.4-patch.zip

JRA-24773-4.3.4-patch-instructions.txt

If you are running JIRA 4.2.x, you can apply the following patch to fix these vulnerabilities.

Vulnerability

Patch

Patch File NameInstructions

Linking and Labelling

Attached to issue JRA-24773

JRA-24773-4.2.4-patch.zip

JRA-24773-4.2.4-patch-instructions.txt

 

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own environment. 

Risk Assessment

We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect JIRA instances.  XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. The attacker does not need a valid user account in order to exploit this vulnerability

 You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.

Vulnerability

JIRA administration interface (Bamboo plugin):

  • There is a non-persistent XSS vector in the JIRA administration interface related to managing JIRA Bamboo settings.
  • Versions of JIRA 4.3.x are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This vulnerability has been fixed in JIRA 4.4 and later versions.

For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can upgrade only the Bamboo Plugin in your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading full JIRA instance instead of a single plugin.

Patches

If you are running JIRA 4.3.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. Both Bamboo Plugin 4.2.x and 4.3.x support JIRA 4.3.x, see the compatibility matrix at Plugin Exchange.

Vulnerability

Plugin

Plugin versionInstructions

JIRA Bamboo Plugin

Plugin Exchange

4.2.1 or

4.3.3

Updating a JIRA plugin

 If you are running JIRA 4.2.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. The vulnerability is not exploitable in JIRA 4.2.x, but we recommend upgrading the plugin anyway.

Vulnerability

Patch

Plugin versionInstructions

JIRA Bamboo Plugin

Plugin Exchange

4.1.5Updating a JIRA plugin

 

Acknowledgement

Icon

Our thanks to Dave B, who reported one of the vulnerabilities in this advisory. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

  • No labels

17 Comments

  1. Does this really only affect 4.1.x - 4.3.x? JRA-24773 states that ALL versions prior to 4.4 are affected.  We're on 4.0.2 - are we affected too?

    1. The advisory is correct, only 4.1.x-4.3.x are affected. Apologies for the "none" affected versions in the JRA issue, fixed now.

  2. Anonymous

    We're on 3.13.1-#333 - are we affected too?

  3. Anonymous

    What about 4.0.1?

    Thank you.

  4. Anonymous

    Is version  3.5. affected too?

  5. Anonymous

    I use the jira version 4.1.2, to upgrade to version 4.4 jira what should I do?

    please your advice

      

    thanks

    Indra

    1. Hi Indra,

      The top of the Upgrading JIRA guide explains what upgrade process you need to follow to upgrade to JIRA 4.4.

      If you're using the Standalone distribution of JIRA 4.1.2 (and you're not changing the database, operating system or the location of JIRA's index/attachment paths) then you should follow the Upgrading JIRA Manually guide.

      Hope this information helps.

      Cheers,

      Giles.

      1. Anonymous

        We are using a highly customized version of JIRA.  It took us a couple of months of development time to upgrade to JIRA 4.1.2.  Not everyone on JIRA 4.1.x can just upgrade to the latest version.

        1. After further verification with the development team, 4.1 is not vulnerable to these issues. We apologise.

  6. Anonymous

    Hi 

    We are using 4.2.4-b591 standalone distribution. Please provide steps for upgrade.

    Thanks,

    Rashmi

  7. The Bamboo plugin page needs to be updated.

    Even though version 4.2 of the plugin is bundled with Jira 4.3, and seems to require Bamboo 3.1, the updated 4.2.3 plugin requires Bamboo 3.2.

    We'd have to upgrade to Bamboo 3.2 just so we can use the secure version of the plugin.

    Is it possible for Atlassian to release a secure version of the plugin that doesn't require an upgrade to 3.2?

    1. 4.2.x plugin series should work with Bamboo 3.1, I think it's just an error in the compatibility table. Bamboo 3.1 is supported with security fixes, so we are obliged to provide a working version if you find any problems. I'll update the docs.

      The requirement for Bamboo 3.2 was introduced when release management capabilities were introduced - but that's 4.3.x plugin series.

  8. Anonymous

     

    The file JRA-24773-4.3.4-patch-instructions.txt describes that the patch contains 3 Files. The file JRA-24773-4.3.4-patch.zip includes 5 files. Is this correct?

    I've although a different md5-Checksum (49a358e66619cfc6f501b007bcfa403e).
    Is the md5-Checksum in the file 'JRA-24773-4.3.4-patch.md5' correct?

    1. Anonymous

      Could someone from Atlassian give a hint on these questions? It ist bad style having bad MD5s for the patch and having different numbers of files in the patch and in the patch instructions!

    2.  Apologies, the JRA issue has been fixed, please check JRA-24773 again.

    1. There has been a number of vulnerabilities disclosed since that version, please check the advisories in the left tab. We highly recommend upgrading.