-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4236
              Jira Service Desk Security Advisory 2019-11-06
                             11 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jira Service Desk Server
                   Jira Service Desk Data Center
Publisher:         Atlassian
Operating System:  Windows
                   Linux variants
                   Mac OS
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15004 CVE-2019-15003 

Original Bulletin: 
   https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Jira Service Desk Security Advisory 2019-11-06

Jira Service Desk Server and Jira Service Desk Data Center 
 - Authorization Bypass allows information disclosure 
 - CVE-2019-15003

This email refers to the advisory found at
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html

CVE ID:

* CVE-2019-15003
* CVE-2019-15004



Product: Jira Service Desk Server and Data Center.

Affected Jira Service Desk Server and Data Center product versions:

version < 3.9.17
3.10.0 <= version < 3.16.11
4.0.0 <= version < 4.2.6
4.3.0 <= version < 4.3.5
4.4.0 <= version < 4.4.3
4.5.0 <= version < 4.5.1


Fixed Jira Service Desk Server and Data Center product versions:

* for 3.9.x, Jira Service Desk Server and Data Center 3.9.17 has been released
with a fix for this issue.
* for 3.16.x, Jira Service Desk Server and Data Center 3.16.11 has been released
with a fix for this issue.
* for 4.2.x, Jira Service Desk Server and Data Center 4.2.6 has been released
with a fix for this issue.
* for 4.3.x, Jira Service Desk Server and Data Center 4.3.5 has been released
with a fix for this issue.
* for 4.4.x, Jira Service Desk Server and Data Center 4.4.3 has been released
with a fix for this issue.
* for 4.5.x, Jira Service Desk Server and Data Center 4.5.1 has been released
with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Service Desk Server and Data Center  are affected by this vulnerability.



Customers who have upgraded Jira Service Desk Server and Data Center to version
3.9.17 or 3.16.11 or 4.2.6 or 4.3.5 or 4.4.3 or 4.5.1 are not affected.

Customers who have downloaded and installed Jira Service Desk Server and Data
Center less than 3.9.17 (the fixed version for 3.9.x) or who have downloaded and
installed Jira Service Desk Server and Data Center >= 3.10.0 but less than
3.16.11 (the fixed version for 3.16.x) or who have downloaded and installed Jira
Service Desk Server and Data Center >= 4.0.0 but less than 4.2.6 (the fixed
version for 4.2.x) or who have downloaded and installed Jira Service Desk Server
and Data Center >= 4.3.0 but less than 4.3.5 (the fixed version for 4.3.x) or
who have downloaded and installed Jira Service Desk Server and Data Center >=
4.4.0 but less than 4.4.3 (the fixed version for 4.4.x) or who have downloaded
and installed Jira Service Desk Server and Data Center >= 4.5.0 but less than
4.5.1 (the fixed version for 4.5.x) please upgrade your Jira Service Desk Server
and Data Center installations immediately to fix this vulnerability.



URL path traversal allows information disclosure - CVE-2019-15003

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

By design, Jira Service Desk gives customer portal users permissions only to
raise requests and view issues. This allows users to interact with the customer
portal without having direct access to Jira. These restrictions can be bypassed
by a remote attacker with portal access who exploits a path traversal
vulnerability. Note that attackers can grant themselves access to Jira Service
Desk portals that have the Anyone can email the service desk or raise a request
in the portal setting enabled. Exploitation allows an attacker to view all
issues within all Jira projects contained in the vulnerable instance. This could
include Jira Service Desk projects, Jira Core projects, and Jira Software
projects.
Versions of Jira Service Desk Server and Data Center all versions before 3.9.17
(the fixed version for 3.9.x), from version 3.10.0 before 3.16.10 (the fixed
version for 3.16.x), from version 4.0.0 before 4.2.6 (the fixed version for
4.2.x), from version 4.3.0 before 4.3.5 (the fixed version for 4.3.x), from
version 4.4.0 before 4.4.3 (the fixed version for 4.4.x), and from version 4.5.0
before 4.5.1 (the fixed version for 4.5.x) are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/JSDSERVER-6589
.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Service Desk Server and Data Center version 3.9.17
* Jira Service Desk Server and Data Center version 3.16.11
* Jira Service Desk Server and Data Center version 4.2.6
* Jira Service Desk Server and Data Center version 4.3.5
* Jira Service Desk Server and Data Center version 4.4.3
* Jira Service Desk Server and Data Center version 4.5.1

Remediation:

Upgrade Jira Service Desk Server and Data Center to version 4.5.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Service Desk Server and Data Center 3.9.x and cannot
upgrade to 4.5.1, upgrade to version 3.9.17.
If you are running Jira Service Desk Server and Data Center 3.16.x and cannot
upgrade to 4.5.1, upgrade to version 3.16.11.
If you are running Jira Service Desk Server and Data Center 4.2.x and cannot
upgrade to 4.5.1, upgrade to version 4.2.6.
If you are running Jira Service Desk Server and Data Center 4.3.x and cannot
upgrade to 4.5.1, upgrade to version 4.3.5.
If you are running Jira Service Desk Server and Data Center 4.4.x and cannot
upgrade to 4.5.1, upgrade to version 4.4.3.


For a full description of the latest version of Jira Service Desk Server and
Data Center, see
the release notes found at
https://confluence.atlassian.com/servicedesk/jira-service-desk-release-notes-780083086.html.
You can download the latest version of Jira Service Desk Server and Data Center
from the download centre found at
https://www.atlassian.com/software/jira/service-desk/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


- -----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl3E4DkXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCHlhAAms1Ea3KA/TJEtsdOtlH3kw4h
1wN3Pk18v986BwDsE06pO3HsY8ra608o1Pzx++AVdLnPQU+fIBUfg2SKBIn/ACGS
7s8qKCzcveZsCnZqHJaaSNYubGxiT20QnxfBDh8tTCJzp0m5s9zdArNb4kITUsWT
pLH0gQ/cPx4Ureb8nO2JpcpU9joJdAODU7NCF+jRCmDreYJBWwROGtCnP4VPmquC
v0CsvfMAFENscvAszxAybXNG5CoiBjb0+qwJq8K6yWeu6c5kwGoh7k90Hk5JdDJm
z1MTJb6T9FTHvlmfGUfCOVFpvFtuNzFaPBhxfKaHHYlksOnXzTHztlJsi+nuojyE
FAONVh3Fcq+cL2DB/jAOxnBgcWvOIWYkgNkRFyZIZ+y09LuFTowzlShy9+RC9+0z
kH+w7HKgA0gSeJvvrgTW5BUaOklvT7wVKMmG+aEz0w32kJhPwPIgcPtIQ2uAYj9C
uJKP5FwKULoWUXMDWclrY3xMxSRL/g7bv0ZAVlGzLdtFBkr0zZexdm/FJoAr7nQU
7Et0TjVKHzr00Y0kCVO/fmN3BWK12iNrOZZ1Vo4j/u8xL7BxqqimrlN1jfv+46lt
t8LF2JwCaVV9qirrVJDj6T650aLyXdKgTYrrvJtXjCnmnhixd/t1yDcnd585iKva
xgbVIqGBDtaP+lRrsTs=
=TvXO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcjfSmaOgq3Tt24GAQgErA//UlIfh0B2zSaVVtcx7FY3SP/veQWdohyj
KNjXoChLpHHi0cpyPbqY3GkBd0UkusKI3VeHmiAod1/TGKUXE904TyhZPfXaUpxN
pYM2A4XmTVK2UcDb1XDXvC26ZhRF/OgY4dx/24buhFOtU/Mfuh6Aay7J/0wnjLHY
BU5QWsBMs4OuFohfMLDBuyYbjv+vHd0BaETIuwtHZnJvPqGUmKMrHSgIAP0di7oE
lnJOxFLOekQaTVXmwEKzfzbdEdXJJk0rq/zlYG14qu4VbasJMXkWKemr+StPAcW0
naLmxVkxN4i+23zC8f59uXQF2+nLZcGyhard2c+iTkVCw3xF0EDOcgYnQCqRX9Zz
Rqbp/D8UfhmNgKACFeK8EQKY8EY5nfUAQObY2SapQpXlKj6yG3RVgsNbpZ7yKF+H
6a2Vs77mT/QECFhBYN7H6N2xrysDONyBOn99kKJfa7AQ3l90wYtEK3XMGRQVrQOg
kUe4qoAECxPl0wCXDUHD4Z+JZUsvVtiBC/hfv7NrADnlPi8T8f5l/s0lFJk6bKEs
W54N49FW1RXs7Mav2n5bR1/MwEVv7CVN6UobVzz7GVhabcxGxcLsi/xt/6rS7Z1k
Fi/5xFiDjr5lJDgPSfmA9slmgLo41wy5CZ4ceGhudBs2KnauB6Y488NPPW0z5/NK
bfNh1Wimw0k=
=LRdY
-----END PGP SIGNATURE-----