We are writing to inform you of recently discovered security vulnerabilities in JIRA. These security vulnerabilities are rated as high. To fix these vulnerabilities, you should upgrade to JIRA 4.4 or later.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/x/S4CzDw.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
This advisory announces a number of security vulnerabilities that we have found in versions 4.1.x - 4.3.x of JIRA and fixed in version 4.4 of JIRA. You need to upgrade your existing JIRA installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by filing a ticket at
http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
XSS VULNERABILITIES IN ISSUE LINKING AND LABELLING
SEVERITY:
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues (
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own environment.
RISK ASSESSMENT:
We have identified and fixed several cross-site scripting (XSS) vulnerabilities which may affect JIRA instances. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page.
You can read more about XSS attacks at cgisecurity (
http://www.cgisecurity.com), the Web Application Security Consortium (
http://www.webappsec.org) and other places on the web.
VULNERABILITY:
Issue linking:
The way issue summaries were rendered when displaying issue links allows arbitrary JavaScript execution.
Versions of JIRA 4.1.x to 4.3.x prior to 4.4 are affected.
Labelling:
Certain issue labels could be created containing JavaScript, which then could be rendered on other pages.
Versions of JIRA 4.1.x to 4.3.x prior to 4.4 are affected.
RISK MITIGATION:
We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.
FIX:
These vulnerabilities have been fixed in JIRA 4.4 (
http://confluence.atlassian.com/display/JIRA/JIRA+4.4+Release+Notes) and later versions.
For a full description of the latest version of JIRA, see the release notes (
http://confluence.atlassian.com/display/JIRA/JIRA+Releases). You can download the latest version of JIRA from the download centre (
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa).
If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading and not patching.
PATCHES:
If you are running JIRA 4.3.x, you can apply the following patch to fix these vulnerabilities.
Vulnerability: Linking and Labelling
Patch: Attached to issue JRA-24773 (
http://jira.atlassian.com/browse/JRA-24773)
Patch File Name: JRA-24773-4.3.4-patch.zip (
https://jira.atlassian.com/secure/attachment/49208/JRA-24773-4.3.4-patch.zip)
Instructions: JRA-24773-4.3.4-patch-instructions.txt (
https://jira.atlassian.com/secure/attachment/48514/JRA-24773-4.3.4-patch-instructions.txt)
If you are running JIRA 4.2.x, you can apply the following patch to fix these vulnerabilities.
Vulnerability: Linking and Labelling
Patch: Attached to issue JRA-24773 (
http://jira.atlassian.com/browse/JRA-24773)
Patch File Name: JRA-24773-4.2.4-patch.zip (
https://jira.atlassian.com/secure/attachment/49213/JRA-24773-4.2.4-patch.zip)
Instructions: JRA-24773-4.2.4-patch-instructions.txt (
https://jira.atlassian.com/secure/attachment/49211/JRA-24773-4.2.4-patch-instructions.txt)
XSS VULNERABILITY IN ADMINISTRATION INTERFACE OF JIRA BAMBOO PLUGIN
SEVERITY:
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues (
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own environment.
RISK ASSESSMENT:
We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect JIRA instances. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page.
You can read more about XSS attacks at cgisecurity (
http://www.cgisecurity.com), the Web Application Security Consortium (
http://www.webappsec.org) and other places on the web.
VULNERABILITY:
JIRA administration interface (Bamboo plugin):
There is a non-persistent XSS vector in the JIRA administration interface related to managing JIRA Bamboo settings.
Versions of JIRA 4.3.x are affected.
RISK MITIGATION:
We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.
FIX:
These vulnerabilities have been fixed in JIRA 4.4 (
http://confluence.atlassian.com/display/JIRA/JIRA+4.4+Release+Notes) and later versions.
For a full description of the latest version of JIRA, see the release notes (
http://confluence.atlassian.com/display/JIRA/JIRA+Releases). You can download the latest version of JIRA from the download centre (
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa).
If you cannot upgrade to the latest version of JIRA, you can upgrade only the Bamboo Plugin in your existing installation of JIRA 4.3.x or JIRA 4.2.x using the patches listed below. We strongly recommend upgrading the full JIRA instance instead of a single plugin.
PATCHES:
If you are running JIRA 4.3.x, use the plugin manager to upgrade the Bamboo plugin to a version equal to or greater than that specified in the file name below. Both Bamboo Plugin 4.2.x and 4.3.x support JIRA 4.3.x, see the compatibility matrix at Plugin Exchange (
https://plugins.atlassian.com/plugin/details/4946).
Vulnerability: JIRA Bamboo Plugin
Plugin: At Plugin Exchange (
https://plugins.atlassian.com/plugin/details/4946)
Plugin version: 4.2.1+ or 4.3.1+
Instructions:
https://confluence.atlassian.com/display/JIRA043/Managing+JIRA%27s+Plugins#ManagingJIRAsPlugins-UpdatingaJIRAPlugin
If you are running JIRA 4.2.x, you can apply the following patch to fix these vulnerabilities. The vulnerability is not exploitable in JIRA 4.2.x, but we recommend upgrading the plugin anyway.
Vulnerability: JIRA Bamboo Plugin
Plugin: At Plugin Exchange (
https://plugins.atlassian.com/plugin/details/4946)
Plugin version: 4.1.5+
Instructions:
https://confluence.atlassian.com/display/JIRA042/Managing+JIRA%27s+Plugins#ManagingJIRAsPlugins-UpdatingaJIRAPlugin
ACKNOWLEDGEMENT:
Our thanks to Dave B, who reported one of the vulnerabilities in this advisory. We fully support the reporting of vulnerabilities (see
http://confluence.atlassian.com/display/JIRA/How+to+Report+a+Security+Issue) and we appreciate it when people work with us to identify and solve the problem.
Securely yours,
Atlassian
