JIRA Security Advisory 2014-02-26

This advisory details critical security vulnerabilities that we have found in JIRA and fixed in recent versions of JIRA.

  • Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations or apply the patches to fix these vulnerabilities.  
  • Atlassian OnDemand customers have been upgraded with the fixes for the issues described in this advisory.

These vulnerabilities affect all versions of JIRA up to and including 6.1.3.

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

Issue 1: Path traversal in JIRA Issue Collector plugin (Windows only)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated users to create files in any valid directory inside a JIRA install. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

This issue only affects JIRA servers running on Windows OS. It is not exploitable on Linux and OSX systems.

The vulnerability affects all supported versions of JIRA up to and including 6.0.3. It has been fixed in 6.0.4. The issue is tracked in  JRA-36442 - Path traversal in JIRA Issue Collector plugin (Windows only) Resolved .

Our thanks to Philippe Arteau of Groupe Technologies Desjardins who reported this vulnerability.

Risk Mitigation

If you are unable to upgrade or patch your JIRA server, you can disable the JIRA Issue collector plugin via the JIRA administration interface.

In case you require the plugin, do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.

Fix

This vulnerability can be fixed by upgrading JIRA. Alternatively, you can upgrade only the vulnerable plugin.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading JIRA

Upgrade to JIRA 6.0.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

If you cannot upgrade JIRA at the moment, you can upgrade only the Issue Collector plugin. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade this plugins to the latest available version compatible with your version of JIRA. 

Issue 2: Path traversal in JIRA Importers plugin (Windows only)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated users to create files in any valid directory inside a JIRA install. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

This issue only affects JIRA servers running on Windows OS. It is not exploitable on Linux and OSX systems.

The vulnerability affects all supported versions of JIRA up to and including 6.0.4. It has been fixed in 6.0.5. The issue is tracked in  JRA-36441 - Path traversal in JIRA Importers plugin (Windows only) Resolved .

Risk Mitigation

If you are unable to upgrade or patch your JIRA server you can disable the JIRA Importers plugin via the JIRA administration interface.

In case you require the plugin, do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.

Fix

This vulnerability can be fixed by upgrading JIRA. Alternatively, you can upgrade only the vulnerable plugin.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading JIRA

Upgrade to JIRA 6.0.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

If you cannot upgrade JIRA at the moment, you can upgrade only the JIRA Importers plugin. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade this plugins to the latest available version compatible with your version of JIRA. 

Issue 3: Privilege escalation

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated attackers to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your JIRA web interface.

The vulnerability affects all supported versions of JIRA up to and including 6.1.3. It has been fixed in 6.1.4. The issue is tracked in  JRA-35797 - Privilege escalation Closed .

Risk Mitigation

If you are unable to upgrade or patch your JIRA server you can do the following as a temporary workaround:

  • Block access to your JIRA server web interface from untrusted networks, such as the Internet.
  • Turn on Secure Administrator Sessions, this prevents privilege escalation to administrative accounts. Non-privileged accounts will still be vulnerable.

Fix

This vulnerability can be fixed by upgrading JIRA. There is also a patch available for this vulnerability for the following supported versions of JIRA. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.  

Upgrading JIRA

Upgrade to JIRA 6.1.4 or a later version, which fixes this vulnerability. For a full description of these releases, see the JIRA Release Notes. You can download these versions of JIRA from the download centre.

Patches

We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy ) as an interim solution until you can upgrade. You should not continually patch your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, and we strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of JIRA, you must upgrade to the last minor version of the release. For example, if you have JIRA 5.1.1, you will have to upgrade 5.1.8 and then apply the patch provided below to fix the vulnerability described in this advisory.


Download the patch package:

Patches are provided for the last minor version of each major release. If you don't have the exact JIRA version installed, you will need to upgrade to the last minor version of the release in order to apply the patch (this means if you have JIRA 5.1.1, you will have to upgrade to 5.1.8 in order to be able to apply the patch).

Version
Patch Package
md5
JIRA 4.4.5 patch-JRA-35797-4.4.5-20140303.zip 47990989c958b4b7c51785075b84e12f
JIRA 5.0.7 patch-JRA-35797-5.0.7-20140303.zip 1f940b97ba8bc127f306eecdad44bc55
JIRA 5.1.8 patch-JRA-35797-5.1.8.zip d7db72b3656dc952604a7f7a6fea380b
JIRA 5.2.11 patch-JRA-35797-5.2.11-20140303.zip 3a7fe0b8a35b295ffdf93102955f7d86
JIRA 6.0.8 patch-JRA-35797-6.0.8.zip 1550f9e7784aad41f69c07efe634966f
JIRA 6.1.x There's no patch, upgrade directly to 6.1.4 or above n/a

WINDOWS USERS : Do not use the built in Windows ZIP extractor to apply this patch!

By default it replaces all the files in a directory instead of merging the files in. If this happens, JIRA will not be able to work correctly. Use another zip tool such as WinZip or 7-Zip. Alternatively, extract the files into a different directory and copy them to <jira_install>/atlassian-jira/WEB-INF/lib manually.

Instructions for specific versions of JIRA are available in a file JRA-35797-x.x.x-patch-instructions.txt located inside the corresponding ZIP file.

For reference, instructions for JIRA 6.0.8 are below (please be sure to follow the instructions in the patch zip you have downloaded as each version has slightly different instructions): 

Before applying the patch file, make a copy of your JIRA web application directory in case things go wrong. This will allow you to more easily back out any changes.

If you are using the Standalone distribution of JIRA:

  1. Download the file patch-JRA-35797/patches/JRA-35797-6.0.8-patch.zip
  2. In the <jira_install>/atlassian-jira/WEB-INF/lib directory delete the following files:
    • atlassian-gadgets-api-3.2.0-m26.jar
    • atlassian-gadgets-spi-3.2.0-m26.jar
    • atlassian-trusted-apps-core-2.5.2.jar
    • atlassian-trusted-apps-seraph-integration-2.5.2.jar
    • sal-api-2.10.2.jar
    • sal-spi-2.10.2.jar
  3. Expand the zip file into <jira_install_dir>/atlassian-jira/ overwriting the files there
  4. Restart JIRA

If you are using the WAR distribution of JIRA:

  1. Download the file patch-JRA-35797/patches/JRA-35797-6.0.8-patch.zip
  2. In the <jira_install_jir>/webapp/WEB-INF/lib directory delete the following files:
    • atlassian-gadgets-api-3.2.0-m26.jar
    • atlassian-gadgets-spi-3.2.0-m26.jar
    • atlassian-trusted-apps-core-2.5.2.jar
    • atlassian-trusted-apps-seraph-integration-2.5.2.jar
    • sal-api-2.10.2.jar
    • sal-spi-2.10.2.jar
  3. Expand the zip file to <jira_install_dir>/webapp overwriting the files there
  4. Run 'build.sh clean' on unix or 'build.bat clean' on windows
  5. Run 'build.sh' on unix or 'build.bat' on windows
  6. Redeploy the JIRA web app into your application server

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport