Workaround for CVE-2019-15001

Still need help?

The Atlassian Community is here for you.

Ask the community

This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.

Problem

There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. 


Affected Versions

  • 7.0.10 to 7.6.15
  • 7.7.0 to 7.13.7 
  • 8.1.0 to 8.1.2 
  • 8.2.0 to 8.2.4 
  • 8.3.0 to 8.3.3 
  • 8.4.0

Resolution

We have released the following versions of Jira Server & Jira Data Center to address this issue:

  1. 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
  2. 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
  3. 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
  4. 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
  5. 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
  6. 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

Upgrading Jira

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the release notes. You can download the latest version of Jira Server & Jira Data Center from the download center.

Workaround

Workaround 1 - Tomcat (requires restart)

Block the endpoint from being accessed directly in the Tomcat configuration files, only for the PUT method:

  1. Shut down the application, and backup your $application-install/atlassian-jira/WEB-INF/web.xml file

  2. Add the following block inside the <web-app> element:

        <security-constraint>
          <web-resource-collection>
            <url-pattern>/rest/jira-importers-plugin/1.0/demo/create</url-pattern>
            <http-method>PUT</http-method>
          </web-resource-collection>
          <auth-constraint />
        </security-constraint>
  3. Re-start the Jira application

  4. If you try to send a PUT request to the end point <JIRA_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA, will return a 403 error with Jira HTML page stating that "Access to the requested resource has been denied"


Workaround 2 - Proxy

Block the endpoint from being accessed on the proxy server side, only for the PUT method (Tested on Apache HTTPD):

  1. Open the virtual host configuration

  2. Add the following inside the virtual host to block the endpoint /rest/jira-importers-plugin/1.0/demo/create 
    <LocationMatch "/rest/jira-importers-plugin/1.0/demo/create">
    	<LimitExcept GET DELETE POST>
           Deny from all
    	</LimitExcept>
    </LocationMatch>
  3. Ensure all connectors pass through the proxy

  4. Restart Apache

(info) Example Virtual Host :

<VirtualHost *:80>

 ServerName atlassian.com

    ProxyRequests Off
    ProxyVia Off
     
    <Proxy *>
         Require all granted
    </Proxy>

    <LocationMatch "/rest/jira-importers-plugin/1.0/demo/create">
		<LimitExcept GET DELETE POST>
      		Deny from all
		</LimitExcept>
    </LocationMatch>

ProxyPass               /jira       http://localhost:8080/jira
ProxyPassReverse        /jira       http://localhost:8080/jira


</VirtualHost>



Description
Product
Last modified on Oct 30, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.