JIRA Security Advisory 2010-06-18

In this advisory:

XSS Vulnerabilities in URL Query Strings

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site scripting (XSS) vulnerabilities in JIRA, which may affect JIRA instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA.

  • An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server. The attacker could potentially then gain control over the underlying JIRA system and/or the underlying operating system, based on the privileges of the user whose credentials had been stolen.
  • The attacker's text and script might be displayed to other people viewing a JIRA page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

Some values from JIRA URLs were not correctly HTML-escaped, potentially enabling an attacker to add scripts to another user's response.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

These issues have been fixed in JIRA 4.1.2 and later. If you absolutely cannot upgrade, a patch that has been tested on JIRA 4.0.2 is available on the following holding bug: http://jira.atlassian.com/browse/JRA-21624

JIRA Standalone Vulnerability with Session Cookies

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and incorporated an enhancement in JIRA Standalone distributions in the handling of session cookies. This has security implications which are especially important for anyone running publicly accessible instances of JIRA.

  • An attacker might take advantage of this vulnerability to steal other users' session cookies, by sending the session ID credentials contained within them back to the attacker's own web server. The attacker could potentially then gain control over the underlying JIRA system and/or the underlying operating system, based on the privileges of the user whose credentials had been stolen.

Vulnerability

If an attacker makes a successful XSS attack, this vulnerability could allow the attacker to use JavaScript to access the session ID contained within a session cookie.

Risk Mitigation

We recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

Cookies are now set to 'HttpOnly' in the Standalone distributions of JIRA 4.1.2 and later. 'HttpOnly' session cookies dramatically reduce the likelihood of privilege escalation through XSS attack vectors. Therefore, please upgrade to this version of JIRA to mitigate this risk.

If you are running a JIRA EAR-WAR distribution or an earlier version of JIRA, please refer to the Preventing Security Attacks guide for information on how to implement 'HttpOnly' session cookies with specific examples for configuring Tomcat version 5.5.27+.

Users without the 'JIRA Users' Permission can Login via Crowd Single Sign On

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability in JIRA, relating to login permission. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of JIRA.

  • A user might take advantage of the vulnerability to login to a JIRA instance which they are not authorised to view.

Vulnerability

This vulnerability only relates to JIRA instances that are connected to Atlassian Crowd and are using Crowd Single Sign On (SSO).

When JIRA is using the Crowd connector and Crowd SSO, a user who doesn't have the 'JIRA Users' permission can log in to JIRA using Crowd SSO.

Project-specific permissions are still enforced, so the user would only be able to see unsecured projects (that is, projects which 'Anyone' can view).

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This issue has been fixed in JIRA 4.1.2 and later. If you absolutely cannot upgrade, you can try replacing the crowd-integration-client-1.6.1.jar located in the <root-dir>/WEB-INF/lib directory with the newer version that comes with JIRA 4.1.2, namely crowd-integration-client-2.0.4.jar. Although this configuration has not been subjected to Atlassian's quality assurance processes, we believe the upgrade of that library should work and will fix this security bug. Customers who absolutely cannot upgrade to JIRA 4.1.2 who have any trouble with this should raise a support request at https://support.atlassian.com/ for help.

XSRF Vulnerability in 'Logout' Action

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed an XSRF (cross-site request forgery) vulnerability in JIRA, relating to the Logout action.

  • An attacker might take advantage of the vulnerability to force logout. This could be used for a DOS (denial of service) attack.

You can read more about XSRF attacks at cgisecurity.

Vulnerability

An attacker could insert malicious text into an issue, which would force logout for any user who viewed that issue.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This issue has been fixed in JIRA 4.1.2 and later.

Security Vulnerabilities in FishEye Plugin

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

Please see the JIRA FishEye Plugin Security Advisory 2010-06-18 for details.

Vulnerability

These vulnerabilities relate to the JIRA FishEye Plugin, which is bundled with JIRA. Only JIRA instances where the JIRA FishEye Plugin is enabled are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation (or this plugin) to fix this vulnerability. Please see the 'Fix' section below.

Fix

These issues have been fixed in JIRA 4.1.2 and later. Upgrading to this version of JIRA will fix these vulnerabilities.

Alternatively, if you are running JIRA 4.1 or 4.1.1 and cannot upgrade JIRA to version 4.1.2 immediately, you can fix these vulnerabilities by upgrading the FishEye plugin. Otherwise, you can disable disable the JIRA FishEye plugin via the JIRA administration interface.

Security Vulnerabilities in Bamboo Plugin

Severity

Atlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

Please see the JIRA Bamboo Plugin Security Advisory 2010-06-18 for details.

Vulnerability

These vulnerabilities relate to the JIRA Bamboo Plugin, which is bundled with JIRA. Only JIRA instances where the JIRA Bamboo Plugin is enabled are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation (or this plugin) to fix this vulnerability. Please see the 'Fix' section below.

Fix

These issues have been fixed in JIRA 4.1.2 and later. Upgrading to this version of JIRA will fix these vulnerabilities.

Alternatively, if you are running a version of JIRA from 4.0 to 4.1.1 (inclusive) and cannot upgrade JIRA to version 4.1.2 immediately, you can fix these vulnerabilities by upgrading the Bamboo plugin. Otherwise, you can disable disable the JIRA Bamboo plugin via the JIRA administration interface.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport