-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
JIRA Security Advisory 2013-02-21
25 February 2013
AusCERT Security Bulletin Summary
Product: Atlassian JIRA
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Overwrite Arbitrary Files -- Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
JIRA Security Advisory 2013-02-21
Added by Chris LePetit [Atlassian], last edited by Chris LePetit [Atlassian]
on Feb 19, 2013
This advisory discloses a critical severity security vulnerability that exists
in all versions of JIRA up to and including 5.1.4.
Customers who have downloaded and installed JIRA should upgrade their existing
JIRA installations to fix this vulnerability. We also provide a patch that you
will be able to apply to existing installations of JIRA to fix this
vulnerability. However, we recommend that you upgrade your complete JIRA
installation rather than applying the patch.
Enterprise Hosted customers need to request an upgrade by raising a support
request at http://support.atlassian.com in the "Enterprise Hosting Support"
JIRA Studio customers will need to disable SOAP API (see Risk Mitigation below
Atlassian OnDemand customers are not affected by any of the issues described
in this advisory.
Atlassian is committed to improving product security. The vulnerability listed
in this advisory has been discovered by Atlassian, unless noted otherwise. The
reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a
support request at http://support.atlassian.com/.
In this advisory:
* File Overwrite Vulnerability
* Risk Mitigation
File Overwrite Vulnerability
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in Severity Levels for Security Issues. The
scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
We have identified and fixed a vulnerability in JIRA's SOAP API that allows an
attacker who has a valid JIRA account to overwrite any files that are
writeable by the OS user JIRA runs under. This may result in the attacker
being able to execute arbitrary Java code in the context of JIRA server.
NOTE: This API is OFF by default, unless you have turned it on. In order to
verify its state, check whether "Accept remote API calls" setting is OFF. This
page describes configuring JIRA options:
All versions of JIRA up to and including 5.1.4 are affected by this
vulnerability. The vulnerability is fixed in JIRA 5.1.5 and later. This issue
can be tracked here: JRA-29786
If you're unable to upgrade or patch the instance: as a workaround, the remote
API can be completely disabled by setting the Accept remote API calls value to
OFF in the General Configuration (as in our Configuring JIRA Options
documentation). However, this will disable all XML-RPC or SOAP calls and can
consequently cause additional problems to other applications or scripts that
rely upon the remote API.
Usage of SOAP has been deprecated as of JIRA 5.x, and this can be disabled
without causing problems to JIRA. However versions of JIRA prior to 4.x may
experience problems, such as integrating with other applications through
AppLinks. REST calls will be unaffected.
If you want to continue using SOAP API interface, you need to either upgrade
your JIRA or apply patches.
This section outlines the upgrades and/or patches for this vulnerability. The
Security Patch Policy describes when and how we release security patches and
security upgrades for our products.
The vulnerabilities and fix versions are described in the 'Description'
We recommend that you upgrade to the latest version of JIRA, if possible. For
a full description of the latest version of JIRA, see the release notes. You
can download the latest version of JIRA from the download centre.
If you cannot upgrade to the latest version of JIRA, you can temporarily patch
your existing installation using the patch listed below. We strongly recommend
upgrading and not patching.
Patches (not recommended)
We recommend patching only when you can neither upgrade nor apply external
security controls. Patches are usually only provided for vulnerabilities of
critical severity (as per our Security Patch Policy), as an interim solution
until you can upgrade. You should not expect that you can continue patching
your system instead of upgrading. Our patches are often non-cumulative we do
not recommend that you apply multiple patches from different advisories on top
of each other, but strongly recommend upgrading to the most recent version
If for some reason you cannot upgrade to the latest version of JIRA, you need
do all of the steps described in the patch instructions to fix the
vulnerability described in this security advisory.
Download the patch file for your version of JIRA. Note, the patches are only
available for the point release indicated. If you are using an earlier point
release for a major version, you must upgrade to the latest point release
first. For example, if you have 5.0.6, then you need to upgrade to 5.0.7
before applying this patch.
JIRA Version Patch Patch File Name
5.0.7 http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.0.7.zip patch-JRA-29786-5.0.7.zip
5.1.4 http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-29786-5.1.4.zip patch-JRA-29786-5.1.4.zip
Steps for applying the patches can be found inside the zip archive.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----