JIRA Security Advisory 2012-08-28

This advisory discloses security vulnerabilities that we have found in JIRA and fixed in a recent version of JIRA.

  • Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability.  
  • Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
  • Atlassian OnDemand customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. 

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:


Privilege escalation vulnerability

Severity

Atlassian rates the severity level of this vulnerability as Critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a privilege escalation vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass administrator-only authorisation controls via specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. As a result, the attacker will be able to execute a large number of administrative actions.

This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6. This issue can be tracked here: JRA-29403 - Privilege escalation vulnerability Resolved

Risk Mitigation

If you cannot upgrade immediately, you can disable public access to your JIRA instance. You can also turn on Secure Administrator sessions (also known as WebSudo) which will significantly reduce the number of actions available to an attacker. WebSudo does not completely mitigate this vulnerability, as it does not protect non-administrative actions.

Fix

Upgrade

The vulnerability and fix versions are described in the 'Description' section above.

We recommend that you upgrade to JIRA 5.0.7 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

Instructions on how to apply patches are listed in the table above.

XSS Vulnerabilities

Severity

Atlassian rates the severity level of these vulnerabilities as High, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity.

Description

We have identified and fixed nine cross-site scripting (XSS) vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a JIRA page.

You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.

These vulnerabilities affects JIRA 4.2 and above, and have been fixed in JIRA 5.1.1. This issue can be tracked here:  JRA-29402 - Cross-Site Scripting Vulnerabilities Resolved

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

Upgrade

The vulnerabilities and fix versions are described in the 'Description' section above.

We recommend that you upgrade to JIRA 5.1.1 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

Patches are not available for this vulnerability.

Our thanks to Nils Juenemann who reported three of the XSS vulnerabilities mentioned in this section. Our thanks also to Conrad Rolack and Brandon Sterne who each reported one XSS vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

XSRF Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.

Description

We have identified and fixed a cross-site request forgery (XSRF) vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers).

This XSRF vulnerability relates to commenting on issues. An attacker might take advantage of the vulnerability to make other users post issue comments of his choice.

You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web.

This vulnerability affects JIRA 4.2 and above, and has been fixed in JIRA 5.1. This issue can be tracked here: JRA-29401 - Cross-Site Request Forgery vulnerability Resolved

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

Upgrade

The vulnerability and fix versions are described in the 'Description' section above.

We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

Patches are not available for this vulnerability.

Our thanks to João Paulo Lins of Tempest Security Intelligence, who reported the XSRF vulnerability mentioned in this section. We fully support the reporting of vulnerabilities  and we appreciate it when people work with us to identify and solve the problem.

Open Redirect Vulnerabilities

Severity

Atlassian rates the severity level of these vulnerabilities as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity.

Description

We have identified and fixed two open redirect vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers).

Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on the URL will be redirected to a different web site. This can be used for phishing.

You can read more about link manipulation attacks at Wikipedia, and about phishing at Fraud.org and other places on the web.

These vulnerabilities affect JIRA 4.3.3 and above, and have been fixed in JIRA 5.1.1. This issue can be tracked here: JRA-29400 - Open Redirect vulnerabilities Resolved

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

Upgrade

The vulnerabilities and fix versions are described in the 'Description' section above.

We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the  release notes. You can download the latest version of JIRA from the download centre.

Patches are not available for this vulnerability.

Our thanks to João Paulo Lins of Tempest Security Intelligence, who reported one of the open redirect vulnerabilities mentioned in this section. We fully support the reporting of vulnerabilities  and we appreciate it when people work with us to identify and solve the problem.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport