Atlassian updates for Jira Service Desk and Jira Service Desk Data Centre have been published to correct a critical security bug that anyone who has access to a sensitive client portal can exploit.

Another critical vulnerability affected by Jira Server and Jira Data Center has been patched, which enables the server-side template injection leading to remote code execution.

Access to Jira initiatives internally

The Jira Service Desk and Jira Service Desk Datacenter bug is a URL route to data divulgation and is now monitored as CVE-2019-14994.

Jira Service Desk is a tracker to assist clients view problems and demands while accessing Jira cases is limited.

Security investigator Sam Curry found that anybody with portal access, both clients and staff, can bypass the restriction.

“Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.”

Tenable-CVE-2019-14994-SrcRes

In an advisory this week, Atlassian reports that this vulnerability affects product versions before 3.9.16, 3.10.0 before 3.16.8, 4.0.0 prior 4.1.3, 4.2.0 before 4.2.5, 4.3.0 prior to 4.3.4 and 4.4.0.

The CVE-2019-14994 fixes: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4 and4.4 are included in the following variants of the Jira Service Desk Server and Jira Service Desk Data Center.

Admins can block applications to JIRA containing’..’ at reverse proxy level, or load balance level as an interim solution until updating is feasible or configure the JIRA to redirect requests containing’…’ to a secure URL.The company recommends adding the rule below to the “URLwrite” section of “[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml”:

JiraServiceDeskWrkArnd

Execution of remote code on Jira Server

In another recommendation, Atlassian discloses an Importers plugin for the injection model, affecting Jira Server and Jira Data Center Version 7.0.10. The error has now been identified as CVE-2019-15001.

The seriousness of the problem is also considered critical, but it is exploitable if an intruder in the administrative unit is able to do most administrative tasks; they have no system-wide permissions and have restrictive access, depending on their application access.

“Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.”

Daniil Dimitriev is credited for finding and disclosing this vulnerability. The affected product variants begin at 7.0.10 and include:

  • from 7.0.10 before 7.6.16 (fixed in 7.6.16)
  • from 7.7.0 before 7.13.8 (fixed in 7.13.8)
  • from 8.0.0 before 8.1.3 (fixed in 8.1.3)
  • from 8.2.0 before 8.2.5 (fixed in 8.2.5)
  • from 8.3.0 before 8.3.4 (fixed in 8.3.4)
  • from 8.4.0 before 8.4.1 (fixed in 8.4.1)

Atlassian recommends updating to the patched versions but if this is not possible immediately there is a temporary workaround that consists in blocking the PUT request for the ‘/rest/jira-importers-plugin/1.0/demo/create’ endpoint.

Categorized in: