JIRA Security Advisory 2017-03-09

JIRA Server - XXE/Deserialization in JIRA Workflow Designer Plugin

Summary

An anonymous user can perform multiple attack on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server.

Release Date

Product JIRA Server
Affected Versions
  • 4.2.4 <= version < 6.3.0

Summary of Vulnerability

An anonymous user can perform multiple attack on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server.

This advisory discloses a critical severity security vulnerability which was introduced in version 4.2.4 of JIRA Server. Versions of JIRA Server starting with 4.2.4 before 6.3.0 are affected by this vulnerability. 

Customers who have upgraded JIRA Server to version 6.3.0 or higher are not affected.

Customers who are running JIRA Server version >= 4.2.4 and less than 6.3.0

Please upgrade your JIRA Server installations immediately to fix this vulnerability.


Multiple Vulnerabilities in the JIRA Workflow Designer Plugin

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

An anonymous user can perform multiple attack on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA.

All versions of JIRA Server up, but not including 6.3.0 are affected by this vulnerability. This issue can be tracked here:  JRA-64077 - Multiple Vulnerabilities in JIRA Workflow Servlet Resolved

Acknowledgements

We would like to credit Markus Wulftange of Code White for reporting this issue to us.

What You Need to Do

Upgrade (recommended)

Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of JIRA Server , see the release notes. You can download the latest version of JIRA Server from the Atlassian website.

Upgrade JIRA Server to version 6.3.0 or higher.

Please keep in mind that JIRA Server 6.4 reaches its Atlassian Support end of life date on March 17, 2017, so we recommend upgrading to a version of JIRA Software (7.0 or later). For more information on the end of support and the upgrade process, see these resources: 

Support

If you have questions or concerns, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy  Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport