Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                     JIRA Security Advisory 2013-02-21
                             25 February 2013


        AusCERT Security Bulletin Summary

Product:           Atlassian JIRA
Publisher:         Atlassian
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

JIRA Security Advisory 2013-02-21

Added by Chris LePetit [Atlassian], last edited by Chris LePetit [Atlassian] 
on Feb 19, 2013

This advisory discloses a critical severity security vulnerability that exists
in all versions of JIRA up to and including 5.1.4.

Customers who have downloaded and installed JIRA should upgrade their existing
JIRA installations to fix this vulnerability. We also provide a patch that you
will be able to apply to existing installations of JIRA to fix this 
vulnerability. However, we recommend that you upgrade your complete JIRA 
installation rather than applying the patch.

Enterprise Hosted customers need to request an upgrade by raising a support 
request at http://support.atlassian.com in the "Enterprise Hosting Support" 

JIRA Studio customers will need to disable SOAP API (see Risk Mitigation below
for details).

Atlassian OnDemand customers are not affected by any of the issues described 
in this advisory.

Atlassian is committed to improving product security. The vulnerability listed
in this advisory has been discovered by Atlassian, unless noted otherwise. The
reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a 
support request at http://support.atlassian.com/.

In this advisory:

   * File Overwrite Vulnerability 
   * Risk Mitigation 
   * Fix

File Overwrite Vulnerability 


Atlassian rates the severity level of this vulnerability as critical, 
according to the scale published in Severity Levels for Security Issues. The 
scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to
your own IT environment. 


We have identified and fixed a vulnerability in JIRA's SOAP API that allows an
attacker who has a valid JIRA account to overwrite any files that are 
writeable by the OS user JIRA runs under. This may result in the attacker 
being able to execute arbitrary Java code in the context of JIRA server.

NOTE: This API is OFF by default, unless you have turned it on. In order to 
verify its state, check whether "Accept remote API calls" setting is OFF. This
page describes configuring JIRA options: 

All versions of JIRA up to and including 5.1.4 are affected by this 
vulnerability. The vulnerability is fixed in JIRA 5.1.5 and later. This issue
can be tracked here: JRA-29786 

Risk Mitigation

If you're unable to upgrade or patch the instance: as a workaround, the remote
API can be completely disabled by setting the Accept remote API calls value to
OFF in the General Configuration (as in our Configuring JIRA Options 
documentation). However, this will disable all XML-RPC or SOAP calls and can 
consequently cause additional problems to other applications or scripts that 
rely upon the remote API.

Usage of SOAP has been deprecated as of JIRA 5.x, and this can be disabled 
without causing problems to JIRA. However versions of JIRA prior to 4.x may 
experience problems, such as integrating with other applications through 
AppLinks. REST calls will be unaffected.

If you want to continue using SOAP API interface, you need to either upgrade 
your JIRA or apply patches. 


This section outlines the upgrades and/or patches for this vulnerability. The
Security Patch Policy describes when and how we release security patches and 
security upgrades for our products. 

Upgrade (recommended)

The vulnerabilities and fix versions are described in the 'Description' 
section above.

We recommend that you upgrade to the latest version of JIRA, if possible. For
a full description of the latest version of JIRA, see the release notes. You 
can download the latest version of JIRA from the download centre.

If you cannot upgrade to the latest version of JIRA, you can temporarily patch
your existing installation using the patch listed below. We strongly recommend
upgrading and not patching. 

Patches (not recommended)

We recommend patching only when you can neither upgrade nor apply external 
security controls. Patches are usually only provided for vulnerabilities of 
critical severity (as per our Security Patch Policy), as an interim solution 
until you can upgrade. You should not expect that you can continue patching 
your system instead of upgrading. Our patches are often non-cumulative we do 
not recommend that you apply multiple patches from different advisories on top
of each other, but strongly recommend upgrading to the most recent version 

If for some reason you cannot upgrade to the latest version of JIRA, you need
do all of the steps described in the patch instructions to fix the 
vulnerability described in this security advisory.

Download the patch file for your version of JIRA. Note, the patches are only 
available for the point release indicated. If you are using an earlier point 
release for a major version, you must upgrade to the latest point release 
first. For example, if you have 5.0.6, then you need to upgrade to 5.0.7 
before applying this patch.

JIRA Version	Patch											Patch File Name 
5.0.7		http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.0.7.zip   	patch-JRA-29786-5.0.7.zip

5.1.4		http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.1.4.zip	patch-JRA-29786-5.1.4.zip

Steps for applying the patches can be found inside the zip archive.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967