Jira Server Security Advisory 29nd June 2022

Update: This advisory has been updated since its original publication.

Specific updates include: 

  • 10AM PDT (Pacific Time, -7 hours)
    Updated the Mitigation section to reference 3.2.15 as a widely compatible, fixed app version 

Summary

CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server

Advisory Release Date

10:00 AM PDT (Pacific Time, -7 hours)

Product

Jira:

  • Jira Core Server
  • Jira Software Server
  • Jira Software Data Center

Jira Service Management (JSM):

  • Jira Service Management Server
  • Jira Service Management Data Center

Affected Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • Versions after 8.0 and before 8.13.22
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.10
  • 8.21.x
  • 8.22.x before 8.22.4

Jira Service Management Server and Data Center:

  • Versions after 4.0 and before 4.13.22
  • 4.14.x
  • 4.15.x
  • 4.16.x
  • 4.17.x
  • 4.18.x
  • 4.19.x
  • 4.20.x before 4.20.10
  • 4.21.x
  • 4.22.x before 4.22.4
Jira Cloud and Jira Service Management Cloud are not affected.

Fixed Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • 8.13.x >= 8.13.22
  • 8.20.x >= 8.20.10
  • 8.22.x >= 8.22.4
  • 9.0.0

Jira Service Management Server and Data Center:

  • 4.13.x >= 4.13.22
  • 4.20.x >= 4.20.10
  • 4.22.x >= 4.22.4
  • 5.0.0

CVE ID(s)

CVE-2022-26135

Summary of Vulnerability

This advisory discloses a high severity security vulnerability.

Jira Server and Data Center versions before 8.13.22, from version 8.14.0 before 8.20.10, and from version 8.21.0 before 8.22.4 are affected by this vulnerability.

Jira Service Management Server and Data Center versions before 4.13.22, from version 4.14.0 before 4.20.10, and from version 4.21.0 before 4.22.4 are affected by this vulnerability.

Atlassian Cloud sites are not affected.

If your Jira site is accessed via an atlassian.net domain, you are not affected by the vulnerability.

Customers who have upgraded to version 8.13.22, 8.20.10, 8.22.4, or 9.0.0 of Jira Server or Data Center are not affected.

Customers who have upgraded to version 4.13.22, 4.20.10, 4.22.4, or 5.0.0 of Jira Service Management Server or Data Center are not affected.

Customers who have downloaded and installed any versions listed in affected versions must upgrade their installations to fix this vulnerability.

Please upgrade your installations immediately.

CVE-2022-26135 Full Read SSRF in Jira Server

Description

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

All versions of Jira and Jira Service Management prior to the fixed version listed above are affected by this vulnerability. These issues can be tracked here:

This does not affect the other System app named Jira Mobile.

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, medium, or low.

Depending on the environment the Jira instance is deployed in, the impact of this bug varies. For example, when deployed in AWS, it could leak sensitive credentials.

This is our assessment and you should evaluate its applicability to your own IT environment.

Acknowledgements

We would like to acknowledge Shubham Shah and Dylan Pindur of Assetnote for finding this vulnerability.

Fix

To address this issue, we have released:

  • Jira Core Server, Jira Software Server, and Jira Software Data Center versions:
    • 8.13.22
    • 8.20.10
    • 8.22.4 
    • 9.0.0
  • Jira Service Management Server and Data Center versions:
    • 4.13.22
    • 4.20.10
    • 4.22.4 
    • 5.0.0

You can download the latest versions from the download pages for Jira Core, Jira Software, or Jira Service Management.

Please note, these are the first versions that include the fix for CVE-2022-26135. More current bug fix releases are available for the releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Mitigation

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade Mobile Plugin for Jira Data Center and Server (com.atlassian.jira.mobile.jira-mobile-rest) to the version specified in this section (or disable the plugin).

The following version of the Mobile Plugin for Jira app contains a fix for this issue:

  • 3.2.15 (compatible with Jira 8.3.x - 8.22.4 and JSM 4.3.x - 4.22.4)

How to upgrade the app

Scenario A: User-installed apps

If you find the “Mobile Plugin for Jira” app located in the User-installed apps section, you can just click Update to get the latest version.

Scenario B: System apps

If you find the “Mobile Plugin for Jira” app located in the System apps section, follow these instructions to manually update the app (no restart required!):

  1. Download a fixed version of the app (you’ll save this as a JAR file) from the Atlassian Marketplace that is compatible with your Jira version
  2. During a maintenance window:
    1. Navigate to Admin > Manage Apps
    2. Select Upload app
    3. Select the JAR file you downloaded in Step 1

After the install, the new version will be displayed as a user-installed app instead of a system app.

The previous JAR file can remain in the directory <Jira Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins without further action.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please read our FAQ for CVE-2022-26135. If you have further questions, please raise a support request.

References

Security Bug fix Policy

As per our new policy, critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry-standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End-of-Life Policy

 Our end-of-life policy varies for different products. Review the policy for details.

Last modified on Jun 30, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.