JIRA Security Advisory 2012-05-17

This advisory discloses a high severity security vulnerability that exists in all versions of JIRA up to and including 5.0.0.

  • Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability. We also provide a patch that you will be able to apply to existing installations of JIRA to fix this vulnerability. However, we recommend that you upgrade your complete JIRA installation rather than applying the patch.
  • Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
  • JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.  

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

High Severity XML Parsing Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in JIRA that results from the way third-party XML parsers are used in JIRA. This vulnerability allows an attacker who is an authenticated JIRA user to execute denial of service attacks against the JIRA server.

All versions of JIRA up to and including 5.0.0 are affected by this vulnerability. This issue can be tracked here:  JRA-27719 - XML Vulnerability in JIRA Resolved

The Tempo and Gliffy for JIRA plugins are also vulnerable to this exploit. If you are using these plugins with any version of JIRA, you will need to upgrade them (see 'Fix' section below) or disable them.

Risk Mitigation

We recommend that you upgrade your JIRA installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade immediately, you should disable public access (such as anonymous access and public signup) to your JIRA installation until you have applied the necessary patch or upgraded.

Fix

Upgrade (recommended)

  1. Upgrade to JIRA 5.0.1 or later which fixes this vulnerability. For a full description of this release, see the JIRA 5.0.1 Release Notes. You can download this version of JIRA from the download centre.

  2. Upgrade the following JIRA third-party plugins, if you are using them. The table below describes which version of the plugin you should upgrade to, depending on your JIRA version. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade these plugins to the latest available version compatible with your version of JIRA.

    Plugin JIRA 5.0 JIRA 4.4 JIRA 4.3 JIRA 4.2

    Gliffy plugin for JIRA

    3.7.1 3.7.1 3.7.1 3.7.1
    Tempo 7.0.3 6.5.0.2 6.4.3.1 6.4.3.1

Patches (not recommended)

We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of JIRA, you must do all of the following steps to fix the vulnerability described in this security advisory.

  1. Download the patch file for your version of JIRA. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first.

  2. Update the following files in your JIRA installation, as described below.


    • JIRA:
      1. Shut down JIRA.
      2. Replace $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/atlassian-bundled-plugins.zip with the patch file downloaded in Step 1 above.
      3. Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
      4. Restart JIRA.
    • JIRA WAR:
      1. Replace $JIRA_WAR_INSTALL/webapp/WEB-INF/classes/atlassian-bundled-plugins.zip with the patch file downloaded in Step 1 above.
      2. Regenerate the WAR file.
      3. Shut down JIRA.
      4. Install the new WAR you generated.
      5. Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
      6. Restart JIRA.
  3. Upgrade the following JIRA third-party plugins, if you are using them. The table below describes which version of the plugin you should upgrade to, depending on your JIRA version. See Managing JIRA's Plugins for instructions on how to upgrade a plugin. In general, you should upgrade these plugins to the latest available version compatible with your version of JIRA.

    Plugin JIRA 5.0 JIRA 4.4 JIRA 4.3 JIRA 4.2

    Gliffy plugin for JIRA

    3.7.1 3.7.1 3.7.1 3.7.1
    Tempo 7.0.3 6.5.0.2 6.4.3.1 6.4.3.1
  4. Verify that patches succeeded by checking plugin versions. Versions of Tempo and Gliffy are listed in the table above. For the JIRA patch (step 1 above) you need to verify the version of Atlassian REST plugin.

    Plugin JIRA 4.4.5 JIRA 4.3.4 JIRA 4.2.4 JIRA 4.1.2

    Atlassian REST

    2.5.5.1 2.4.0.1 2.1.0.1 1.0.5.1


    Screenshot:

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport