Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0835
JIRA Security Advisory 2012-08-28
3 September 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian JIRA
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28
- --------------------------BEGIN INCLUDED TEXT--------------------
JIRA Security Advisory 2012-08-28
Added by Andrew Lui [Atlassian Technical Writer], last edited by Andrew
Lui [Atlassian Technical Writer] on Aug 28, 2012 (view change)
This advisory discloses security vulnerabilities that we have found in JIRA and
fixed in a recent version of JIRA.
Customers who have downloaded and installed JIRA should upgrade their
existing JIRA installations to fix this vulnerability.
Enterprise Hosted customers need to request an upgrade by raising a support
request at http://support.atlassian.com in the "Enterprise Hosting Support"
project.
Atlassian OnDemand customers are not affected by any of the issues
described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed
in this advisory has been discovered by Atlassian, unless noted otherwise. The
reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a
support request at http://support.atlassian.com/.
In this advisory:
Privilege escalation vulnerability
XSS Vulnerabilities
XSRF Vulnerability
Open Redirect Vulnerabilities
Privilege escalation vulnerability
Severity
Atlassian rates the severity level of this vulnerability as Critical, according
to the scale published in Severity Levels for Security Issues. The scale allows
us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description
We have identified and fixed a privilege escalation vulnerability that affects
JIRA instances, including publicly available instances (that is,
Internet-facing servers). This vulnerability allows an attacker to bypass
administrator-only authorisation controls via specially crafted URLs. The
attacker does not need to have an account on the affected JIRA server. As a
result, the attacker will be able to execute a large number of administrative
actions.
This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available
for JIRA 4.3.4, 4.4.5 and 5.0.6. This issue can be tracked here: JRA-29403
Risk Mitigation
If you cannot upgrade immediately, you can disable public access to your JIRA
instance. You can also turn on Secure Administrator sessions (also known as
WebSudo) which will significantly reduce the number of actions available to an
attacker. WebSudo does not completely mitigate this vulnerability, as it does
not protect non-administrative actions.
Fix
Upgrade
The vulnerability and fix versions are described in the 'Description' section
above.
We recommend that you upgrade to JIRA 5.0.7 or later. For a full description of
the latest version of JIRA, see the release notes. You can download the latest
version of JIRA from the download centre.
If you cannot upgrade to the latest version of JIRA, you can temporarily patch
your existing installation using the patch listed below. We strongly recommend
upgrading and not patching.
Patches
JIRA version Patch File Name Patch Instructions
4.3.4 JRA-29403-4.3.4-patch.zip JRA-29403-4.3.4-patch-instructions.txt
4.4.5 JRA-29403-4.4.5-patch.zip JRA-29403-4.4.5-patch-instructions.txt
5.0.6 JRA-29403-5.0.6-patch.zip JRA-29403-5.0.6-patch-instructions.txt
Instructions on how to apply patches are listed in the table above.
XSS Vulnerabilities
Severity
Atlassian rates the severity level of these vulnerabilities as High, according
to the scale published in Severity Levels for Security Issues. The scale allows
us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment. These vulnerabilities are not of Critical severity.
Description
We have identified and fixed nine cross-site scripting (XSS) vulnerabilities
that affect JIRA instances, including publicly available instances (that is,
Internet-facing servers). XSS vulnerabilities allow an attacker to embed their
own JavaScript into a JIRA page.
You can read more about XSS attacks at cgisecurity.com, The Web Application
Security Consortium and other places on the web.
These vulnerabilities affects JIRA 4.2 and above, and have been fixed in JIRA
5.1.1. This issue can be tracked here: JRA-29402
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix these
vulnerabilities. Please see the 'Fix' section below.
Fix
Upgrade
The vulnerabilities and fix versions are described in the 'Description' section
above.
We recommend that you upgrade to JIRA 5.1.1 or later. For a full description of
the latest version of JIRA, see the release notes. You can download the latest
version of JIRA from the download centre.
Patches are not available for this vulnerability.
Our thanks to Nils Juenemann who reported three of the XSS vulnerabilities
mentioned in this section. Our thanks also to Conrad Rolack and Brandon Sterne
who each reported one XSS vulnerability. We fully support the reporting of
vulnerabilities and we appreciate it when people work with us to identify and
solve the problem.
XSRF Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as Medium, according
to the scale published in Severity Levels for Security Issues. The scale allows
us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment. This vulnerability is not of Critical severity.
Description
We have identified and fixed a cross-site request forgery (XSRF) vulnerability
that affects JIRA instances, including publicly available instances (that is,
Internet-facing servers).
This XSRF vulnerability relates to commenting on issues. An attacker might take
advantage of the vulnerability to make other users post issue comments of his
choice.
You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html
and other places on the web.
This vulnerability affects JIRA 4.2 and above, and has been fixed in JIRA 5.1.
This issue can be tracked here: JRA-29401
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix this
vulnerability. Please see the 'Fix' section below.
Fix
Upgrade
The vulnerability and fix versions are described in the 'Description' section
above.
We recommend that you upgrade to JIRA 5.1 or later. For a full description of the
latest version of JIRA, see the release notes. You can download the latest version
of JIRA from the download centre.
Patches are not available for this vulnerability.
Our thanks to Joo Paulo Lins of Tempest Security Intelligence, who reported the
XSRF vulnerability mentioned in this section. We fully support the reporting of
vulnerabilities and we appreciate it when people work with us to identify and
solve the problem.
Open Redirect Vulnerabilities
Severity
Atlassian rates the severity level of these vulnerabilities as Medium,
according to the scale published in Severity Levels for Security Issues. The
scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment. These vulnerabilities are not of Critical severity.
Description
We have identified and fixed two open redirect vulnerabilities that affect JIRA
instances, including publicly available instances (that is, Internet-facing
servers).
Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA
URL in such a way that a user clicking on the URL will be redirected to a
different web site. This can be used for phishing.
You can read more about link manipulation attacks at Wikipedia, and about
phishing at Fraud.org and other places on the web.
These vulnerabilities affect JIRA 4.3.3 and above, and have been fixed in JIRA
5.1.1. This issue can be tracked here: JRA-29400
Risk Mitigation
We strongly recommend upgrading your JIRA installation to fix these
vulnerabilities. Please see the 'Fix' section below.
Fix
Upgrade
The vulnerabilities and fix versions are described in the 'Description' section
above.
We recommend that you upgrade to JIRA 5.1 or later. For a full description of
the latest version of JIRA, see the release notes. You can download the latest
version of JIRA from the download centre.
Patches are not available for this vulnerability.
Our thanks to Joo Paulo Lins of Tempest Security Intelligence, who reported one
of the open redirect vulnerabilities mentioned in this section. We fully support
the reporting of vulnerabilities and we appreciate it when people work with us
to identify and solve the problem.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUERCo+4yVqjM2NGpAQJEKw/+MndhJLSvOSz8LqO7n97hGojKDgy4pGME
qFHWa0VnLilse67pdC9+vnR3Mj3fFr3sD17g8ZRJvKmTDjJ2SG1KCUO183/AME0G
cOPutuMxcyMJtrsDDlZ+E0kji7Vy9M2/E7SEq63rOTOp5hO3RCsAiC6UpHnu+86L
z5eQjrIKZs2pPdWeF9Re+8KLD9Cbi+h+3XJ9Kcw/egYfcDgNzhVAU05ZVeBqnEsw
apXZMwTZmDDYQ960ooigERdKth5dWtZbuEZHEf43+hzicZRMcimWe9d8l0ZryKz+
s/yQa/cPxEOryHWymP5ATRLCbIJBatIGdxaTaO7wAYEgzCCEks2l6S/baLzj728J
iT4BDobJuDxElwCi5sADDTspwIbSks1gD/oeIBLQKt22JLvr7DhSCNEfwtvLG9iA
0XPrXxQ3IOh0nWD3AKdn0k2IKZkMN8zEsokwgv3eLLQjNvPNDxxBWTIjf6Ccqjt3
qJ4JZJSTxYAQSgTwted+1vVskx99RQ4ZElNeuN162aT56RAOiwPak8+I8N9UN3Sf
gYD5e/UveXr12pYiCy6qHYbXSFgkS1vAxCUQsrDZiVZzrTVUIhJbCIePGQCqKmzL
D1NbaZ30nXa0RR/ZsjCbhdyh/2j/BTrJ5pECuurMuDPC3bokGopXQ+VTCEkfsafw
oBI+k4oM3p0=
=mOOe
-----END PGP SIGNATURE-----