Workaround for CVE-2019-15004

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.


This workaround fixes CVE-2019-14994 and CVE-2019-15004

This workaround will also block attachments that contain .. in the file name. To avoid this, attachments can be renamed to remove .. in the file name or upgrade to a fixed version so the workaround can be removed


Problem

Affected Jira Service Desk versions in CVE-2019-15004 will allow non-application access users - Service Desk Customers to see restricted information in the Jira instance.

This affects Jira Service Desk portals that have the "Anyone can email the service desk or raise a request in the portal" setting enabled, exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance.

Affected versions

  • All versions before 3.9.17
  • 3.10.x
  • 3.11.x
  • 3.12.x
  • 3.13.x
  • 3.14.x
  • 3.15.x
  • 3.16.x before 3.16.11 (the fixed version for 3.16.x)
  • 4.0.x
  • 4.1.x
  • 4.2.x before 4.2.6 (the fixed version for 4.2.x)
  • 4.3.x before 4.3.5 (the fixed version for 4.3.x)
  • 4.4.x before 4.4.3 (the fixed version for 4.4.x)
  • 4.5.x before 4.5.1 (the fixed version for 4.5.x)


Permanent resolution below along with workarounds if immediate upgrade is not possible

Resolution

Upgrade to fixed version of Jira Service Desk

  • 3.9.17

  • 3.16.11

  • 4.2.6

  • 4.3.5

  • 4.4.3

  • 4.5.1

Workaround

Block path traversals and authorization byppass.

Workaround 1.

Redirect requests to Jira containing .. to a safe URL

  1. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>
        <from>^/.*\.\..*$</from>
        <to type="temporary-redirect">/</to>
    </rule>
    
  2. Save the urlrewrite.xml
  3. Restart Jira

Workaround 2.

Block requests to Jira for path traversal at the reverse proxy or load balancer level

Apache

  1. Add the following into the .conf file that contains the virtualhost that proxies to Jira

    <LocationMatch "/(.*\.\.)">
       Order Allow,Deny
        Deny from  all
    </LocationMatch>
    

    example below -

    <VirtualHost *:80>
        ServerName jira.example.com
    
        ProxyRequests Off
        ProxyVia Off
    
        <Proxy *>
             Require all granted
        </Proxy>
        ProxyPass /jira  http://ipaddress:8080/jira
        ProxyPassReverse /jira  http://ipaddress:8080/jira
    
        <LocationMatch "/(.*\.\.)">
         Order Allow,Deny
         Deny from  all
        </LocationMatch>
    
     </VirtualHost>
  2. Restart your Apache proxy

Nginx

  1. Add the following into the .conf file that contains the server block that proxies to Jira inside location block

    if ($uri ~* "/.*\.\."){   return 405;}
    

    example below -

        location /jira {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://ipaddress:8080/jira;
            client_max_body_size 10M;
    
            if ($uri ~* "/.*\.\."){   return 405;}
     }
  2. Restart your NGINX


DescriptionCVE-2019-15004
ProductJira Service Desk
Last modified on Nov 6, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.