Atlassian have revealed a critical security vulnerability in Jira Server and Data Center.
What does this mean?
In this vulnerability a template injection on the server side could be exploited without authentication under certain conditions. This means an attacker can take control of your Jira, or parts of it, without having to log in.
It’s important to be aware that those who’ve upgraded Jira Server and Data Center to versions 7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3 and 8.3.0 will not be affected.
However, this vulnerability affects near enough all versions of Jira. Clearvision are advising customers to implement workarounds and prepare upgrades to fixed versions as soon as possible to avoid attacks.
What are Server-side template injections?
A Server-side template injection occurs when user input is embedded unsafely into a server-side template, allowing users to inject template directives.
They can cause significant impact through arbitrary code execution which can result in a full compromise of the functionality and application data.
A security risk of this nature allows an attacker to inject malicious input into the template, which can pass further into the server.
The advisory notes detailed:
“CVE-2019-11581 is in the ContactAdministrators and the SendBulkMail actions, exploited when Jira’s been configured with an SMTP server and the Contact Administrators Form enabled.”
An attacker wouldn’t need to authenticate this to take advantage of the flaw.
Another example is when there is an SMTP server in Jira and the threat actor has gained Administrators access.
An adversary leveraging such a vulnerability would be able to execute code remotely on systems with an unpatched version of Jira Server or Data Center.
New versions of Jira are already available for download and installation.
For customers on Enterprise releases (7.6 or 7.13) these will be simple upgrades to the latest Enterprise patched releases.
For customers on version 7, but not Enterprise releases, you will need to upgrade to latest 7.6 or 7.13 levels. This will introduce functional changes as well as the fix.
For customers on version 8, there are upgrades available for 8.0, 8.1, and 8.2 levels.
Atlassian advised the following workarounds:
Disable Contact Administrators Form, this will protect against one of the attack vectors.
Block access to "/secure/admin/SendBulkMail!default.jspa" endpoint, possible by denying access in the reverse-proxy, load balancer, or directly from Tomcat. This action will prevent admins from sending bulk emails to users.
One of the attack vectors requires Admin permissions, this is a great time to double-check that you have hardened passwords for all your Admins.
!Tip: Check out our blog from a little while ago around Enterprise Releases.
July 11, 2019