Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0278 JIRA Security Advisory 2013-02-21 25 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian JIRA Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Overwrite Arbitrary Files -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2013-02-21 - --------------------------BEGIN INCLUDED TEXT-------------------- JIRA Security Advisory 2013-02-21 Added by Chris LePetit [Atlassian], last edited by Chris LePetit [Atlassian] on Feb 19, 2013 This advisory discloses a critical severity security vulnerability that exists in all versions of JIRA up to and including 5.1.4. Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability. We also provide a patch that you will be able to apply to existing installations of JIRA to fix this vulnerability. However, we recommend that you upgrade your complete JIRA installation rather than applying the patch. Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project. JIRA Studio customers will need to disable SOAP API (see Risk Mitigation below for details). Atlassian OnDemand customers are not affected by any of the issues described in this advisory. Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/. In this advisory: * File Overwrite Vulnerability * Risk Mitigation * Fix File Overwrite Vulnerability Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description We have identified and fixed a vulnerability in JIRA's SOAP API that allows an attacker who has a valid JIRA account to overwrite any files that are writeable by the OS user JIRA runs under. This may result in the attacker being able to execute arbitrary Java code in the context of JIRA server. NOTE: This API is OFF by default, unless you have turned it on. In order to verify its state, check whether "Accept remote API calls" setting is OFF. This page describes configuring JIRA options: https://confluence.atlassian.com/display/JIRA/Configuring+JIRA+Options#ConfiguringJIRAOptions-Options All versions of JIRA up to and including 5.1.4 are affected by this vulnerability. The vulnerability is fixed in JIRA 5.1.5 and later. This issue can be tracked here: JRA-29786 Risk Mitigation If you're unable to upgrade or patch the instance: as a workaround, the remote API can be completely disabled by setting the Accept remote API calls value to OFF in the General Configuration (as in our Configuring JIRA Options documentation). However, this will disable all XML-RPC or SOAP calls and can consequently cause additional problems to other applications or scripts that rely upon the remote API. Usage of SOAP has been deprecated as of JIRA 5.x, and this can be disabled without causing problems to JIRA. However versions of JIRA prior to 4.x may experience problems, such as integrating with other applications through AppLinks. REST calls will be unaffected. If you want to continue using SOAP API interface, you need to either upgrade your JIRA or apply patches. Fix This section outlines the upgrades and/or patches for this vulnerability. The Security Patch Policy describes when and how we release security patches and security upgrades for our products. Upgrade (recommended) The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to the latest version of JIRA, if possible. For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre. If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching. Patches (not recommended) We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly. If for some reason you cannot upgrade to the latest version of JIRA, you need do all of the steps described in the patch instructions to fix the vulnerability described in this security advisory. Download the patch file for your version of JIRA. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first. For example, if you have 5.0.6, then you need to upgrade to 5.0.7 before applying this patch. JIRA Version Patch Patch File Name 5.0.7 http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.0.7.zip patch-JRA-29786-5.0.7.zip 5.1.4 http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.1.4.zip patch-JRA-29786-5.1.4.zip Steps for applying the patches can be found inside the zip archive. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSr/p+4yVqjM2NGpAQL7Gw//XVKSRkKQjxYofaU98o+YCHXt+2eKUS+f NQgmmgPpMh+A+n50C+y9u4FGGvZut2vzLwOttpK/NeaWiCTCGD/xhA/rIToF0Zys yM+VoEROzIMtcRDOyKGpDQro4eThJeYKTtoZyEqPbRjMp+/g1jSxpaq2qJc/UzU9 fXFO+IRGyxGjy2yKDOk897mXCPSAG11zQPbRz//PSJ4FIYITy5Mr1eQn5ej80JEd yQSitIkXgcp8VS0q4Vy/Uf8+kWkaJU0mMXFer6hhQ48An1UU0XSmrQ+5/BEBOYmO 2buIGZwtqMTmzta0tUF2T62JZS88NN/PSv9F5N9uE4axk2IvvcVsjMKrQF6ItXT7 uRi4y2q+M6ucIiWlN5ORGMklVAJ33+FC0fB+zq5IXL5AUEYetxRGq5PQIbtAxRZX uZsCeX65tRQPSEe0+4ZUNItC6PymZuOqqq+fxKW8Ej+Ekfo4AyZeKKTwR564vgsm Ng+dPZlDV/OYWZ8VP15f2+cDusGO8ZRrrQT2Em9iat+744z1zgcZqme5Pay7NA5E zNYqWkzfpQa7Ad2Nff1C60rJQXTHM8QaZN7xCDnH/vgltwPL99B5Z6tFzjXnXS38 FCBuQyWcnX52r2B+gVnBWPw10kOUK//n38cjdhhdvfi6qD3fIgrJ+ajLCon7jRXg JawuUqNV8FQ= =vSZf -----END PGP SIGNATURE-----