Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3583 Jira Service Desk Server & Jira Service Desk Data Center: URL path traversal 23 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jira Service Desk Server Jira Service Desk Data Center Publisher: Atlassian Operating System: Windows Linux variants Mac OS Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-14994 Original Bulletin: https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html - --------------------------BEGIN INCLUDED TEXT-------------------- Jira Service Desk Server and Jira Service Desk Data Center - URL path traversal allows information disclosure - CVE-2019-14994 Advisory Release Date: 18 Sep 2019 10:00 AM PDT (Pacific Time, -7 hours) Jira Service Desk Server and Jira Service Desk Data Center Product This does not affect Jira Service Desk Cloud. This does not affect Jira Core or Jira Software on instances where Jira Service Desk is not installed. * version < 3.9.16 * 3.10.0 <= version < 3.16.8 * 4.0.0 <= version < 4.1.3 * 4.2.0 <= version < 4.2.5 * 4.3.0 <= version < 4.3.4 * 4.4.0 <= version < 4.4.1 Affected Jira Service * All versions before 3.9.16 Desk Server and * 3.10.x Jira Service Desk Data * 3.11.x Center Versions * 3.12.x * 3.13.x * 3.14.x * 3.15.x * 3.16.x before 3.16.8 (the fixed version for 3.16.x) * 4.0.x * 4.1.x before 4.1.3 (the fixed version for 4.1.x) * 4.2.x before 4.2.5 (the fixed version for 4.2.x) * 4.3.x before 4.3.4 (the fixed version for 4.3.x) * 4.4.x before 4.4.1 (the fixed version for 4.4.x) * 3.9.16 * 3.16.8 Fixed Jira Service * 4.1.3 Desk Versions * 4.2.5 * 4.3.4 * 4.4.1 CVE ID(s) CVE-2019-14994 Summary of Vulnerability This advisory discloses a critical severity security vulnerability in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.0 are affected by this vulnerability. Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which does not have the issue described on this page. Customers who have upgraded Jira Service Desk Server & Jira Service Desk Data Center to 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, or 4.4.1 are not affected. Customers who have downloaded and installed Jira Service Desk Server & Jira Service Desk Data Center versions: * All versions before 3.9.16 * 3.10.x * 3.11.x * 3.12.x * 3.13.x * 3.14.x * 3.15.x * 3.16.x before 3.16.8 (the fixed version for 3.16.x) * 4.0.x * 4.1.x before 4.1.3 (the fixed version for 4.1.x) * 4.2.x before 4.2.5 (the fixed version for 4.2.x) * 4.3.x before 4.3.4 (the fixed version for 4.3.x) * 4.4.0 before 4.4.1 (the fixed version for 4.4.x) Please upgrade your Jira Service Desk Server & Jira Service Desk Data Center installations immediately to fix this vulnerability. URL path traversal allows information disclosure - CVE-2019-14994 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. All versions of Jira Service Desk before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 3.2.5, from 4.3.0 before 4.3.4, and 4.4.0 are affected by this vulnerability. This issue can be tracked here: JSDSERVER-6517 - Getting issue details... STATUS * Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outline in the section: What you need to do Acknowledgements We would like to acknowledge Sam Curry for finding this vulnerability. Fix We have released the following versions of Jira Service Desk Server & Jira Service Desk Data Center to address this issue: * 4.4.1 which can be downloaded from https://www.atlassian.com/software/jira/ service-desk/update * 4.3.4 which can be downloaded from https://www.atlassian.com/software/jira/ service-desk/update * 4.2.5 which can be downloaded from https://www.atlassian.com/software/jira/ service-desk/update * 4.1.3 which can be downloaded from https://www.atlassian.com/software/jira/ service-desk/update * 3.16.8 which can be downloaded from https://www.atlassian.com/software/jira /service-desk/update * 3.9.16 which can be downloaded from https://www.atlassian.com/software/jira /service-desk/update What You Need to Do Mitigation If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can: * Block requests to JIRA containing .. at the reverse proxy or load balance level, or * Alternatively, configure JIRA to redirect requests containing .. to a safe URL + Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml: <rule> <from>^/[^?]*\.\..*$</from> <to type="temporary-redirect">/</to> </rule> + After saving the changes above, restart Jira After upgrading Jira Service Desk this mitigation can be removed. Upgrading Jira Service Desk Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Service Desk Server & Jira Service Desk Data Center, see the Release Notes. You can download the latest version of Jira Service Desk Server & Jira Service Desk Data Center from the Download Center. Upgrade Jira Service Desk to a version as specified below. Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version. If you have version... ...then upgrade to this bugfix version: 4.4.0 4.4.1 4.3.x 4.3.4 4.2.x 4.2.5 4.1.x 4.1.3 3.16.x 3.16.8 3.16.8 (Recommended) 3.9.x 3.9.16 Current versions: 4.4.1 4.3.4 Older versions Enterprise releases: 3.16.8 (Recommended) 3.9.16 Finding Evidence of Exploitation The Jira KB contains instructions on how to determine if any attempts were made to exploit your Jira Service Desk instance. Please note: Atlassian has no evidence that this vulnerability has been exploited in the wild. Support If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. Last modified on Sep 19, 2019 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXYhcC2aOgq3Tt24GAQhYSg//eXjan0dlMIHSsyI6BnmL9FCPh2PH6GT3 UJmk6T7uICXwOIPMdpLCt0lzWwyNoFMx6uq6xv66WlW/M0YxLmhA8isl9fyYZP7b r0hTphYNikh8BwoPl/POABknJnlPD7JFXGsPbp8y3WTQu5WHuXS7KRYJf92JctuH mxb9uvZjyOSWeGBdleu4zN8Vt4Yfpfpvx/D3yRGdUUMBHDnNRinkp+BH8qoJBxAM 95umIq/qP8NSH6NseV0hgvoXep+Cwiv6wuX6QKQ3vZdWMuEz9/Kqo0bB8dGgdH8E JsHXsTOR1pwv2RZB22kvGAN0u7D9GAi7KFWIM4J8zAnRyBU9hmOE8WX2OM7b73W7 qZJCplFAhd76LqO213WAN0XoK+0AQHFfWi1PLOsXPdz8u6oewmgNVu4qz3Z68a0A 2YU0y7lf2Rde95oOPyfJWIwWl9oFTy1KETNlE6oDej+imQZxDucH8g5oDiO09ri2 86w/6KRrflWezHjIFovOxy8mCejISf9RB3hXm5jSJpdnvS08AHAuAwdOUHmjLVpD oP4HU5/wsjznqETTd6xn3qA93ehlO8kXzvogBC6qsGuIq7bpAn+DnLu3rc4j1G2g d5Ll/PLsFHAQ9bHJ9QuX6jZVQgLtbDseUzTmlHVZpSYxJo10Kd/T4SFjFl8bYoJ7 8Qxq17nvPCU= =AkOA -----END PGP SIGNATURE-----