JIRA Security Advisory 2013-02-21
This advisory discloses a critical severity security vulnerability that exists in all versions of JIRA up to and including 5.1.4.
- Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability. We also provide a patch that you will be able to apply to existing installations of JIRA to fix this vulnerability. However, we recommend that you upgrade your complete JIRA installation rather than applying the patch.
- Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
- JIRA Studio customers will need to disable SOAP API (see Risk Mitigation below for details).
- Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
File Overwrite Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in JIRA's SOAP API that allows an attacker who has a valid JIRA account to overwrite any files that are writeable by the OS user JIRA runs under. This may result in the attacker being able to execute arbitrary Java code in the context of JIRA server.
NOTE: This API is OFF by default, unless you have turned it on. In order to verify its state, check whether "Accept remote API calls" setting is OFF. This page describes configuring JIRA options: https://confluence.atlassian.com/display/JIRA/Configuring+JIRA+Options#ConfiguringJIRAOptions-Options
All versions of JIRA up to and including 5.1.4 are affected by this vulnerability. The vulnerability is fixed in JIRA 5.1.5 and later. This issue can be tracked here: JRA-29786 - Getting issue details... STATUS
Risk Mitigation
If you're unable to upgrade or patch the instance: as a workaround, the remote API can be completely disabled by setting the Accept remote API calls value to OFF in the General Configuration (as in our Configuring JIRA Options documentation). However, this will disable all XML-RPC or SOAP calls and can consequently cause additional problems to other applications or scripts that rely upon the remote API.
Usage of SOAP has been deprecated as of JIRA 5.x, and this can be disabled without causing problems to JIRA. However versions of JIRA prior to 4.x may experience problems, such as integrating with other applications through AppLinks. REST calls will be unaffected.
If you want to continue using SOAP API interface, you need to either upgrade your JIRA or apply patches.
Fix
This section outlines the upgrades and/or patches for this vulnerability. The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrade (recommended)
The vulnerabilities and fix versions are described in the 'Description' section above.
We recommend that you upgrade to the latest version of JIRA, if possible. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.
If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches (not recommended)
We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of JIRA, you need do all of the steps described in the patch instructions to fix the vulnerability described in this security advisory.
Download the patch file for your version of JIRA. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first. For example, if you have 5.0.6, then you need to upgrade to 5.0.7 before applying this patch.
JIRA Version | Patch | Patch File Name |
---|---|---|
5.0.7 | http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.0.7.zip | patch-JRA-29786-5.0.7.zip |
5.1.4 | http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.1.4.zip | patch-JRA-29786-5.1.4.zip |
Steps for applying the patches can be found inside the zip archive.