FAQ for CVE-2019-13990
General Information
A critical severity XML External Entity Injection (XXE) vulnerability was discovered in Jira Service Management Server and Data Center (CVE-2019-13990).
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will update this page as new information becomes available.
Can any authenticated user exploit this vulnerability?
No, the vulnerable library is only used for the Assets automation rules feature which is only available to Assets schema admins defined by the following roles:
- Object Schema Managers
- Assets Administrator
If a user is not configured as an Assets schema admin they won't have access to the impacted feature. In addition, Jira Service Management authenticated customers cannot exploit the vulnerability even with the Object Schema Users permissions for Jira Service Management Customers being enabled since they cannot access automation rules; they can only view and search objects through the customers portal.
Are Cloud instances affected?
No, Atlassian Cloud instances are not vulnerable to this issue.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we strongly recommend upgrading when security fixes are available.
My instance is NOT connected to the internet, what should I do? Am I safe?
If the Jira instance cannot be accessed from the general internet, the risk of an exploit/attack originating from there is negated.
Due to the nature of this vulnerability and the variety of ways in which instances can be accessed, please work with local network/security team(s) to determine if mitigation is needed. However, out of an abundance of caution, the guidance on the advisory page for CVE-2019-13990 still applies.
Can we determine if Jira Service Management has already been compromised?
Unfortunately, Atlassian cannot confirm if Jira has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation.
My instance has been compromised, what should I do?
Unfortunately, Atlassian cannot confirm if a customer's instance has been compromised. We strongly recommend involving your local security team for further investigation. If it is determined that your Jira Service Management Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems that potentially share a user base or have common username/password combinations with the compromised system. Before doing anything else you will need to work with your local security team to identify the scope of the breach and your recovery options.
My software maintenance has expired, do I need to renew it to install the patch/upgrade?
Yes, every upgrade requires a license that was active when that version was released (ie. if the license expired on the 25th, an upgrade to a release made on the 26th would not work). The products will block the upgrades if the license is not valid.
I wasn't made aware of the vulnerability, how and when was this communicated by Atlassian?
An alert was sent out to all customers subscribed to the product technical alerts list, after we developed a fix. You can check your membership on that list by going to https://my.atlassian.com/email.