Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3583
Jira Service Desk Server & Jira Service Desk Data Center:
URL path traversal
23 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jira Service Desk Server
Jira Service Desk Data Center
Publisher: Atlassian
Operating System: Windows
Linux variants
Mac OS
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-14994
Original Bulletin:
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Jira Service Desk Server and Jira Service Desk Data Center - URL path traversal
allows information disclosure - CVE-2019-14994
Advisory Release Date: 18 Sep 2019 10:00 AM PDT (Pacific Time, -7 hours)
Jira Service Desk Server and Jira Service Desk Data
Center
Product This does not affect Jira Service Desk Cloud.
This does not affect Jira Core or Jira Software on
instances where Jira Service Desk is not installed.
* version < 3.9.16
* 3.10.0 <= version < 3.16.8
* 4.0.0 <= version < 4.1.3
* 4.2.0 <= version < 4.2.5
* 4.3.0 <= version < 4.3.4
* 4.4.0 <= version < 4.4.1
Affected Jira Service * All versions before 3.9.16
Desk Server and * 3.10.x
Jira Service Desk Data * 3.11.x
Center Versions * 3.12.x
* 3.13.x
* 3.14.x
* 3.15.x
* 3.16.x before 3.16.8 (the fixed version for 3.16.x)
* 4.0.x
* 4.1.x before 4.1.3 (the fixed version for 4.1.x)
* 4.2.x before 4.2.5 (the fixed version for 4.2.x)
* 4.3.x before 4.3.4 (the fixed version for 4.3.x)
* 4.4.x before 4.4.1 (the fixed version for 4.4.x)
* 3.9.16
* 3.16.8
Fixed Jira Service * 4.1.3
Desk Versions * 4.2.5
* 4.3.4
* 4.4.1
CVE ID(s) CVE-2019-14994
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in Jira
Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.16,
from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5,
from 4.3.0 before 4.3.4, and version 4.4.0 are affected by this vulnerability.
Atlassian Cloud instances have already been upgraded to a version of Jira
Service Desk which does not have the issue described on this page.
Customers who have upgraded Jira Service Desk Server & Jira Service Desk Data
Center to 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, or 4.4.1 are not affected.
Customers who have downloaded and installed Jira Service Desk Server & Jira
Service Desk Data Center versions:
* All versions before 3.9.16
* 3.10.x
* 3.11.x
* 3.12.x
* 3.13.x
* 3.14.x
* 3.15.x
* 3.16.x before 3.16.8 (the fixed version for 3.16.x)
* 4.0.x
* 4.1.x before 4.1.3 (the fixed version for 4.1.x)
* 4.2.x before 4.2.5 (the fixed version for 4.2.x)
* 4.3.x before 4.3.4 (the fixed version for 4.3.x)
* 4.4.0 before 4.4.1 (the fixed version for 4.4.x)
Please upgrade your Jira Service Desk Server & Jira Service Desk Data Center
installations immediately to fix this vulnerability.
URL path traversal allows information disclosure - CVE-2019-14994
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description
By design, Jira Service Desk gives customer portal users permissions only to
raise requests and view issues. This allows users to interact with the customer
portal without having direct access to Jira. These restrictions can be bypassed
by any attacker with portal access* who exploits a path traversal
vulnerability. Exploitation allows an attacker to view all issues within all
Jira projects contained in the vulnerable instance. This could include Jira
Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.16, from 3.10.0 before 3.16.8,
from 4.0.0 before 4.1.3, from 4.2.0 before 3.2.5, from 4.3.0 before 4.3.4, and
4.4.0 are affected by this vulnerability. This issue can be tracked here:
JSDSERVER-6517 - Getting issue details... STATUS
* Note that attackers can grant themselves access to Jira Service Desk portals
that have the Anyone can email the service desk or raise a request in the
portal setting enabled. Changing this permission does not remove the
vulnerability to an exploit by an attacker that has portal access. Atlassian
does not recommend changing the permission, instead please read-on and follow
the instructions outline in the section: What you need to do
Acknowledgements
We would like to acknowledge Sam Curry for finding this vulnerability.
Fix
We have released the following versions of Jira Service Desk Server & Jira
Service Desk Data Center to address this issue:
* 4.4.1 which can be downloaded from https://www.atlassian.com/software/jira/
service-desk/update
* 4.3.4 which can be downloaded from https://www.atlassian.com/software/jira/
service-desk/update
* 4.2.5 which can be downloaded from https://www.atlassian.com/software/jira/
service-desk/update
* 4.1.3 which can be downloaded from https://www.atlassian.com/software/jira/
service-desk/update
* 3.16.8 which can be downloaded from https://www.atlassian.com/software/jira
/service-desk/update
* 3.9.16 which can be downloaded from https://www.atlassian.com/software/jira
/service-desk/update
What You Need to Do
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the
process of migrating to Jira Cloud, then as a temporary workaround, you can:
* Block requests to JIRA containing .. at the reverse proxy or load balance
level, or
* Alternatively, configure JIRA to redirect requests containing .. to a safe
URL
+ Add the following to the <urlrewrite> section of
[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:
<rule>
<from>^/[^?]*\.\..*$</from>
<to type="temporary-redirect">/</to>
</rule>
+ After saving the changes above, restart Jira
After upgrading Jira Service Desk this mitigation can be removed.
Upgrading Jira Service Desk
Atlassian recommends that you upgrade to the latest version. For a full
description of the latest version of Jira Service Desk Server & Jira Service
Desk Data Center, see the Release Notes. You can download the latest version of
Jira Service Desk Server & Jira Service Desk Data Center from the Download
Center.
Upgrade Jira Service Desk to a version as specified below.
Upgrading Jira Service Desk also requires upgrading Jira Core. Check the
compatibility matrix to find the equivalent version for your Jira Service Desk
version.
If you have version... ...then upgrade to this bugfix version:
4.4.0 4.4.1
4.3.x 4.3.4
4.2.x 4.2.5
4.1.x 4.1.3
3.16.x 3.16.8
3.16.8 (Recommended)
3.9.x
3.9.16
Current versions:
4.4.1
4.3.4
Older versions
Enterprise releases:
3.16.8 (Recommended)
3.9.16
Finding Evidence of Exploitation
The Jira KB contains instructions on how to determine if any attempts were made
to exploit your Jira Service Desk instance.
Please note: Atlassian has no evidence that this vulnerability has been
exploited in the wild.
Support
If you did not receive an email for this advisory and you wish to receive such
emails in the future go to https://my.atlassian.com/email and subscribe
to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
Last modified on Sep 19, 2019
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXYhcC2aOgq3Tt24GAQhYSg//eXjan0dlMIHSsyI6BnmL9FCPh2PH6GT3
UJmk6T7uICXwOIPMdpLCt0lzWwyNoFMx6uq6xv66WlW/M0YxLmhA8isl9fyYZP7b
r0hTphYNikh8BwoPl/POABknJnlPD7JFXGsPbp8y3WTQu5WHuXS7KRYJf92JctuH
mxb9uvZjyOSWeGBdleu4zN8Vt4Yfpfpvx/D3yRGdUUMBHDnNRinkp+BH8qoJBxAM
95umIq/qP8NSH6NseV0hgvoXep+Cwiv6wuX6QKQ3vZdWMuEz9/Kqo0bB8dGgdH8E
JsHXsTOR1pwv2RZB22kvGAN0u7D9GAi7KFWIM4J8zAnRyBU9hmOE8WX2OM7b73W7
qZJCplFAhd76LqO213WAN0XoK+0AQHFfWi1PLOsXPdz8u6oewmgNVu4qz3Z68a0A
2YU0y7lf2Rde95oOPyfJWIwWl9oFTy1KETNlE6oDej+imQZxDucH8g5oDiO09ri2
86w/6KRrflWezHjIFovOxy8mCejISf9RB3hXm5jSJpdnvS08AHAuAwdOUHmjLVpD
oP4HU5/wsjznqETTd6xn3qA93ehlO8kXzvogBC6qsGuIq7bpAn+DnLu3rc4j1G2g
d5Ll/PLsFHAQ9bHJ9QuX6jZVQgLtbDseUzTmlHVZpSYxJo10Kd/T4SFjFl8bYoJ7
8Qxq17nvPCU=
=AkOA
-----END PGP SIGNATURE-----