Site announcement

We are switching off article comments on this website. Read about the upcoming changes to Atlassian Documentation.

Documentation for JIRA 6.4 (This documentation includes the project navigation sidebar). Not using this? See below:
(JIRA 6.4 without sidebar documentation | JIRA 6.3.x documentation | JIRA Cloud documentation | earlier versions of JIRA)

Skip to end of metadata
Go to start of metadata

This advisory details critical security vulnerabilities that we have found in JIRA and fixed in recent versions of JIRA.

  • Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations or apply the patches to fix these vulnerabilities.  
  • Atlassian OnDemand customers have been upgraded with the fixes for the issues described in this advisory.

These vulnerabilities affect all versions of JIRA up to and including 6.1.3.

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

 

Issue 1: Path traversal in JIRA Issue Collector plugin (Windows only)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated users to create files in any valid directory inside a JIRA install. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

This issue only affects JIRA servers running on Windows OS. It is not exploitable on Linux and OSX systems.

The vulnerability affects all supported versions of JIRA up to and including 6.0.3. It has been fixed in 6.0.4. The issue is tracked in  JRA-36442 - Path traversal in JIRA Issue Collector plugin (Windows only) Resolved .

Our thanks to Philippe Arteau of Groupe Technologies Desjardins who reported this vulnerability.

Risk Mitigation

If you are unable to upgrade or patch your JIRA server, you can disable the JIRA Issue collector plugin via the JIRA administration interface.

In case you require the plugin, do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.

Fix

This vulnerability can be fixed by upgrading JIRA. Alternatively, you can upgrade only the vulnerable plugin.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading JIRA

Upgrade to JIRA 6.0.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

If you cannot upgrade JIRA at the moment, you can upgrade only the Issue Collector plugin. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade this plugins to the latest available version compatible with your version of JIRA. 

 

Issue 2: Path traversal in JIRA Importers plugin (Windows only)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated users to create files in any valid directory inside a JIRA install. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

This issue only affects JIRA servers running on Windows OS. It is not exploitable on Linux and OSX systems.

The vulnerability affects all supported versions of JIRA up to and including 6.0.4. It has been fixed in 6.0.5. The issue is tracked in  JRA-36441 - Path traversal in JIRA Importers plugin (Windows only) Resolved .

Risk Mitigation

If you are unable to upgrade or patch your JIRA server you can disable the JIRA Importers plugin via the JIRA administration interface.

In case you require the plugin, do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.

Fix

This vulnerability can be fixed by upgrading JIRA. Alternatively, you can upgrade only the vulnerable plugin.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading JIRA

Upgrade to JIRA 6.0.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

If you cannot upgrade JIRA at the moment, you can upgrade only the JIRA Importers plugin. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade this plugins to the latest available version compatible with your version of JIRA. 

Issue 3: Privilege escalation

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated attackers to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

The vulnerability affects all supported versions of JIRA up to and including 6.1.3. It has been fixed in 6.1.4. The issue is tracked in  JRA-35797 - Privilege escalation Closed .

Risk Mitigation

If you are unable to upgrade or patch your JIRA server you can do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.
  • Turn on Secure Administrator Sessions, this prevents privilege escalation to administrative accounts. Non-privileged accounts will still be vulnerable.

Fix

This vulnerability can be fixed by upgrading JIRA. There is also a patch available for this vulnerability for the following supported versions of JIRA. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.  

Upgrading JIRA

Upgrade to JIRA 6.1.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

Patches

We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy ) as an interim solution until you can upgrade. You should not continually patch your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, and we strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of JIRA, you must upgrade to the last minor version of the release. For example, if you have JIRA 5.1.1, you will have to upgrade 5.1.8 and then apply the patch provided below to fix the vulnerability described in this advisory.


Download the patch package:

Patches are provided for the last minor version of each major release. If you don't have the exact JIRA version installed, you will need to upgrade to the last minor version of the release in order to apply the patch (this means if you have JIRA 5.1.1, you will have to upgrade to 5.1.8 in order to be able to apply the patch).

Version
Patch Package
md5
JIRA 4.4.5patch-JRA-35797-4.4.5-20140303.zip47990989c958b4b7c51785075b84e12f
JIRA 5.0.7patch-JRA-35797-5.0.7-20140303.zip1f940b97ba8bc127f306eecdad44bc55
JIRA 5.1.8patch-JRA-35797-5.1.8.zipd7db72b3656dc952604a7f7a6fea380b
JIRA 5.2.11patch-JRA-35797-5.2.11-20140303.zip3a7fe0b8a35b295ffdf93102955f7d86
JIRA 6.0.8patch-JRA-35797-6.0.8.zip1550f9e7784aad41f69c07efe634966f
JIRA 6.1.xThere's no patch, upgrade directly to 6.1.4 or aboven/a

WINDOWS USERS : Do not use the built in Windows ZIP extractor to apply this patch!

By default it replaces all the files in a directory instead of merging the files in. If this happens, JIRA will not be able to work correctly. Use another zip tool such as WinZip or 7-Zip. Alternatively, extract the files into a different directory and copy them to <jira_install>/atlassian-jira/WEB-INF/lib manually.

Instructions for specific versions of JIRA are available in a file JRA-35797-x.x.x-patch-instructions.txt located inside the corresponding ZIP file.

For reference, instructions for JIRA 6.0.8 are below (please be sure to follow the instructions in the patch zip you have downloaded as each version has slightly different instructions): 

Before applying the patch file, make a copy of your JIRA web application directory in case things go wrong. This will allow you to more easily back out any changes.

If you are using the Standalone distribution of JIRA:

  1. Download the file patch-JRA-35797/patches/JRA-35797-6.0.8-patch.zip
  2. In the <jira_install>/atlassian-jira/WEB-INF/lib directory delete the following files:
    • atlassian-gadgets-api-3.2.0-m26.jar
    • atlassian-gadgets-spi-3.2.0-m26.jar
    • atlassian-trusted-apps-core-2.5.2.jar
    • atlassian-trusted-apps-seraph-integration-2.5.2.jar
    • sal-api-2.10.2.jar
    • sal-spi-2.10.2.jar
  3. Expand the zip file into <jira_install_dir>/atlassian-jira/ overwriting the files there
  4. Restart JIRA

If you are using the WAR distribution of JIRA:

  1. Download the file patch-JRA-35797/patches/JRA-35797-6.0.8-patch.zip
  2. In the <jira_install_jir>/webapp/WEB-INF/lib directory delete the following files:
    • atlassian-gadgets-api-3.2.0-m26.jar
    • atlassian-gadgets-spi-3.2.0-m26.jar
    • atlassian-trusted-apps-core-2.5.2.jar
    • atlassian-trusted-apps-seraph-integration-2.5.2.jar
    • sal-api-2.10.2.jar
    • sal-spi-2.10.2.jar
  3. Expand the zip file to <jira_install_dir>/webapp overwriting the files there
  4. Run 'build.sh clean' on unix or 'build.bat clean' on windows
  5. Run 'build.sh' on unix or 'build.bat' on windows
  6. Redeploy the JIRA web app into your application server
  • No labels

39 Comments

  1. I assume I should use the 5.0.7 patch if I'm running 5.1.3?

     

  2. If you are running 5.1.3 I would assume you want to take the next level up to 5.1.8, not go back. Good question though. Looking forward to the answer.

    1. I would assume that as well. I have a 5.2.4 instance to patch so I need to decide whether to upgrade it to 5.2.11 or to check for changes in the patched files between 5.2.4 and 5.2.11 and test using the patch in a staging instance. Likely the latter.

      1. So I just compared the list of changed files in the 5.2.11 patch as they are originally in 5.2.4 and 5.2.11. The jar files are the same which gives me some confidence that the patch for 5.2.11 might work for 5.2.4. Now there just the 75M bundled plugins zip :-/

        1. Patches for the last minor version of all supported major versions are available. That means if you are not running the latest minor release of a major version, you will need to upgrade.

          Example: If the version of JIRA is 5.2.4, please upgrade to 5.2.11 before applying the patch.

          1. Upgrading is a lot more work than applying a patch. In many enterprise environments upgrades happen once per year.

            BTW, applying the 5.2.11 patch to a 5.2.4 system seemed to work fine in a staging instance just now. I presume the problem is that it hasn't been tested by Atlassian?

  3. Several of the links on this page such as release notes and download centre point to pages for the Bamboo product, not JIRA.

    1. Hi Mike and Maxfield,

      Thanks for your comments, I've fixed the links. I've also referred your question regarding patches to our security team.

      Kind regards,
      Andrew 

  4. A mapping of instance versions to patches might save some time

    6.0.3 -> patch 6.0.8 ?

     

     

  5. We have a few instances of JIRA running on 5.2.8. Can we use the 5.2.11 patch, or do we need to upgrade the installed versions beforehand?

    1. I was wondering (almost) the same. We're running version 5.2.9, can we apply the 5.2.11 patch directly or should we upgrade first?

      1. You'll need to upgrade your instance to 5.2.11 in order to apply the patch.

  6. Anonymous

    In relation to Issue 1 (Fix) - to upgrade the Issue Collector Plugin, what would need to be done (is this UPM upgrade?), also which version number should it reflect after upgrade.

    In relation to Issue 3 - if we are running version 6.0 JIRA, which patch do we apply?

  7. How to know if the patch was correctly applied?

    1. Look at the files that are listed in the patch and check they are the ones in the specified locations in JIRA I would think

  8. We have a few instances of JIRA running on 5.2, which patch we will use?

  9. Anonymous

    Is there a patch for JIRA 6.1.X or can this be fixed by just copying atlassian-bundled-plugins.zip and the affected jar-files from version  6.1.4 to the older 6.1.X?

  10. Regarding the second issue, the page mentions that

    The vulnerability affects all supported versions of JIRA up to and including 6.0.4. It has been fixed in 6.0.5.

    and as a fix:

    Upgrade to JIRA 6.0.4 or a later version, which fixes this vulnerability.

    Shouldn't the upgrade be to version 6.0.5 if it still affects 6.0.4?

  11. Using the 6.0.8 patch for a 6.0.1 JIRA instance makes searching fail. We found that out the hard way!

    1. The search works in 6.0.3 with the 6.0.8 patch but what else is failing silently I wonder.

      Sadly, an upgrade it is.

       

       

  12. Anonymous

    Hi

    I'm running on JIRA version 3.9, is there any patch for this version?

  13. Okay, so yesterday on this page there was a patch listed for JIRA 5.1.3. Today it is gone, and now says I must upgrade to 5.1.8 to use the 5.1.8 patch. The 5.1.3 patch from yesterday broke mentions.

    1. No, there was a comment from someone at Atlassian that said that 5.1.8 patch would work with 5.1.3. That's been replaced now with a note saying that that is not the case. 5.2.x patch seemed to work for 5.2.4 for me but needs more testing. 6.0.8 definitely breaks searching for 6.0.1

  14. Hi,

    We have a few instances of JIRA running on 5.2, can we use the patch 5.2.11 or we should upgrad to 5.2.11 before?

  15. Anonymous

    Hi,

    the link for patch-JRA-35797-4.4.5.zip seems to broken. Could you please fix it asap?

    Thank you (smile)

     

     

  16. Anonymous

    Will the 6.0.8 patch work for version 6.1?

     

    1. "Upgrade to JIRA 6.1.4 or a later version, which fixes this vulnerability. " is written above, so I doubt it

  17. Anonymous

    Given that I just finished patching my 4.4.5 installation last night, this morning's announcement that the patch was messed up is frustrating.  It seems like all I have to do is replace the atlassian-bundled-plugins.zip file, correct?

    Can I just disable the "test plugin" which is at fault?

    1. Anonymous

      The plugins that were removed in the newer version of the patch are:

      • Atlassian Docco (com.atlassian.atl-docco)
      • aui-qunit-plugin (com.atlassian.aui.aui-qunit-plugin)
      • Functional Test Plugin (com.atlassian.functest.functest-plugin)
      • DevMode - Func Test Plugin (com.atlassian.jira.dev.func-test-plugin)
      • English (Antarctica) Language Pack (com.atlassian.jira.jira-languages.en_AQ)
      • JIRA TestKit Plugin (com.atlassian.jira.tests.jira-testkit-plugin)
      • ${project.name} (com.atlassian.pdkinstall)
      • Platform Compatibility Testing Kit Plugin (com.atlassian.refapp.ctk)

      You will probably need to disable all of those.

       

      1. Anonymous

        I only see these five:

        X    aui-qunit-plugin (com.atlassian.aui.aui-qunit-plugin)
        X    Functional Test Plugin (com.atlassian.functest.functest-plugin)
        X    DevMode - Func Test Plugin (com.atlassian.jira.dev.func-test-plugin)
        X    ${project.name} (com.atlassian.pdkinstall)
        X    Platform Compatibility Testing Kit Plugin (com.atlassian.refapp.ctk)

        Are you looking at a different version from 4.4.5?

        I would also like to hear from Atlassian, since they give dire warnings against disabling any system plugins.

        1. Anonymous

          Yes, sorry, I was comparing the 5.2.11 patches in my list above.

  18. Is there a method that we can use to see if we are vulnerable? I've already applied the patch I just want to see if it has truly been applied. Will the build revision number change?

     

    1. In the JIRA startup logs you see a list of loaded plugins. You can verify these plugins version numbers against the ones provided in the archive (they are different from the vulnerable ones).

  19. We are using 6.1 build 6144 with Administrator Access enabled and no Internet access. Do I need to upgrade at this time?

    1. "Upgrade to JIRA 6.1.4 or a later version, which fixes this vulnerability. " is written above, so I'd assume yes

  20. Hello,

     

    We are using version 4.4.3, do I need to patch this? And we are planning to upgrade by next couple months. Can someone please suggest on this?

     

    Thanks,

    Jana

    1. There is a patch for 4.4.5 listed so I would assume you need to patch. You're supposed to upgrade to 4.4.5 to do that though.

  21. The suggested workaround to disable the JIM plugin unfortunately has the side-effect for us that we get an error at startup and the welcome hint plugin fails to start. (JIRA 5.2.11). Since we are planning to upgrade JIRA soon this is merely a note for others in case they are running into the same issue.