Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14). Affected versions of Jira Data Center and Jira Service Management Data Center can be found in the table above (see “Affected Versions”).

Missing Authentication for Ehcache RMI - CVE-2020-36239
Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

[0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

[1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

[2] The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.

The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:

• From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)

• From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)

• From version 8.14.0 before 8.17.0

The versions of Jira Service Management Data Center affected by this vulnerability are:

• From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)

• From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)

• From version 4.14.0 before 4.17.0

This issue can be tracked at:

• JRASERVER-72566 - Getting issue details... STATUS  

• JSDSERVER-8454 - Getting issue details... STATUS

Acknowledgements

Credit for finding this vulnerability goes to Harrison Neal.

Fix

To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:

• 8.5.16 that contains a fix for this issue

• 8.13.8 that contains a fix for this issue

• 8.17.0 that contains a fix for this issue

Jira Service Management Data Center versions:

• 4.5.16 that contains a fix for this issue

• 4.13.8 that contains a fix for this issue

• 4.17.0 that contains a fix for this issue

These versions can be downloaded at:

• Jira Core Server: https://www.atlassian.com/software/jira/core/download

• Jira Software Data Center: https://www.atlassian.com/software/jira/update

• Jira Service Management Data Center: https://www.atlassian.com/software/jira/service-management/update

What You Need to Do

Atlassian recommends that you upgrade to the latest version. We also recommend restricting access to the Ehcache RMI ports as per these instructions & the information found below in the Mitigation section of this page. For a full description of the latest version, see the release notes for Jira Data Center here, Jira Software Data Center here, and Jira Service Management Data Center here. You can download the latest versions of Jira Data Center and Jira Service Management Data Center from the download center (Jira Data Center | Jira Service Management Data Center).

Upgrade Jira Center to version 8.17.0 or higher.

If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8.

Upgrade Jira Service Management Data Center to version 4.17.0 or higher.

If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8.

Mitigation

Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center to only cluster instances via the use of firewalls or similar technologies.

In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.1 and above ports that need to be restricted to cluster instances are:

• port 40001 

• port 40011

• If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use

In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.0 and below ports that need to be restricted to cluster instances are:

• port 40001

• port 40011

• ports in the range 1024-65536 (in version 7.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports)

• If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use

In Jira Service Management Data Center versions 3.16.1 and above ports that need to be restricted to cluster instances are:

• port 40001

• port 40011

• If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use

In Jira Service Management Data Center versions 3.16.0 and below ports that need to be restricted are:

• port 40001

• port 40011

• ports in the range 1024-65536 (in version 3.3.1 and above you can apply the workaround detailed in https://jira.atlassian.com/browse/JRASERVER-66608 to avoid needing to restrict access to these ports)

• If you have changed from using the default Ehcache RMI ports as per Installing JIRA Data Center, then you will need to restrict access to cluster instances to the specific ports that you have configured Ehcache RMI to use

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References