Jira Server - Template injection in various resources - CVE-2019-11581

Summary CVE-2019-11581 - Template injection in various resources Advisory Release Date 10 AM PDT (Pacific Time, -7 hours) Product 4.4.x

5.x.x

6.x.x

7.0.x

7.1.x

7.2.x

7.3.x

7.4.x

7.5.x

7.6.x before 7.6.14 (the fixed version for 7.6.x)

7.7.x

7.8.x

7.9.x

7.10.x

7.11.x

7.12.x

7.13.x before 7.13.5 (the fixed version for 7.13.x)

8.0.x before 8.0.3 (the fixed version for 8.0.x)

8.1.x before 8.1.2 (the fixed version for 8.1.x)

8.2.x before 8.2.3 (the fixed version for 8.2.x) 7.6.14

7.13.5

8.0.3

8.1.2

8.2.3

8.2.4 CVE ID(s) CVE-2019-11581

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 4.4.0 of Jira Server & Jira Data Center. The following versions of Jira Server & Jira Data Center are affected by this vulnerability:

4.4.x

5.x.x

6.x.x

7.0.x

7.1.x

7.2.x

7.3.x

7.4.x

7.5.x

7.6.x before 7.6.14 (the fixed version for 7.6.x)

7.7.x

7.8.x

7.9.x

7.10.x

7.11.x

7.12.x

7.13.x before 7.13.5 (the fixed version for 7.13.x)

8.0.x before 8.0.3 (the fixed version for 8.0.x)

8.1.x before 8.1.2 (the fixed version for 8.1.x), and

8.2.x before 8.2.3 (the fixed version for 8.2.x).





Customers who have upgraded Jira Server & Jira Data Center to versions 7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3 or 8.2.4 are not affected.

Customers using Jira Cloud are not affected.

Customers who have downloaded and installed Jira Server & Jira Data Center versions: 4.4.x

5.x.x

6.x.x

7.0.x

7.1.x

7.2.x

7.3.x

7.4.x

7.5.x

7.6.x before 7.6.14 (the fixed version for 7.6.x)

7.7.x

7.8.x

7.9.x

7.10.x

7.11.x

7.12.x

7.13.x before 7.13.5 (the fixed version for 7.13.x)

8.0.x before 8.0.3 (the fixed version for 8.0.x)

8.1.x before 8.1.2 (the fixed version for 8.1.x), and

8.2.x before 8.2.3 (the fixed version for 8.2.x) Please upgrade your Jira Server & Jira Data Center installations immediately to fix this vulnerability.

If you have downloaded and installed Jira Service Desk from version 3.0.0 before 4.2.3, you may be affected. The versions listed above are for Jira Software and Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.

Template injection in various resources - CVE-2019-11581

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:

an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or

an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.

In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.





All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability. This issue can be tracked here: JRASERVER-69532 - Getting issue details... STATUS

Acknowledgements

We would like to acknowledge Daniil Dmitriev for finding this vulnerability.

Fix

We have released the following versions of Jira Server & Jira Data Center to address this issue:

8.2.3 https://www.atlassian.com/software/jira/download

8.1.2 which is available for download from https://www.atlassian.com/software/jira/update.

8.0.3 which is available for download from https://www.atlassian.com/software/jira/update.

7.13.5 which is available for download from https://www.atlassian.com/software/jira/update.

7.6.14 which is available for download from https://www.atlassian.com/software/jira/update.

What You Need to Do



Mitigation

If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

Disable the Contact Administrators Form, and block the /secure/ContactAdministrators endpoint; and Block these endpoints from being accessed:

- /secure/admin/SendBulkMail!default.jspa ,

- /admin/SendBulkMail!default.jspa , and

- /SendBulkMail!default.jspa .

Note that blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users.



Blocking endpoints can be achieved by denying access in the reverse-proxy or load balancer.



After upgrading Jira, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.





Upgrading Jira

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the Release Notes. You can download the latest version of Jira Server & Jira Data Center from the Download Center.

Upgrade Jira Server & Jira Data Center to version of 8.2.4 or higher.





If you can't upgrade to the latest version (8.2.4):

(1) If you have a current feature version (a feature version released on 10 December 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have feature version… …then upgrade to this bugfix version: 8.0.x 8.0.3 8.1.x 8.1.2





(2) If you have a current Enterprise release version (an Enterprise release version released on 10th July 2017 or later), upgrade to the latest Enterprise release version (7.13.5).

Please note that the 7.6 Enterprise release will reach End of Life in November 2019. If you are unable to upgrade to the latest Enterprise release version (7.13.5), upgrade to 7.6.14.

If you have Enterprise release version… …then upgrade to this version: 7.6.x 7.13.5 (Recommended) 7.6.14 7.13.x 7.13.5





(3) If you have an older version (a feature version released before 10 December 2018, or an Enterprise release version released before 10th July 2017), either upgrade to the latest version, or to the latest Enterprise release version (7.13.5).

If you have older version… …then upgrade to any of these versions: 4.4.x 5.x.x 6.x.x 7.0.x 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.7.x 7.8.x 7.9.x 7.10.x 7.11.x 7.12.x Current versions 8.0.3 8.1.2 8.2.3 Enterprise releases 7.6.14 7.13.5 (Recommended)

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.



If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

For guidance on determining whether your instance has been compromised, see Determining whether your Jira instance has been compromised by CVE-2019-11581.

References