Dear customers,
We are writing to inform you of a newly-discovered security vulnerability in JIRA. This security vulnerability has a severity level of critical and exists in all versions of JIRA up to and including 5.0.0.
* Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability. We also provide a patch that you will be able to apply to existing installations of JIRA to fix this vulnerability. However, we recommend that you upgrade your complete JIRA installation rather than applying the patch.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
*High Severity XML Parsing Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability in JIRA that results from the way third-party XML parsers are used in JIRA. This vulnerability allows an attacker who is an authenticated JIRA user to execute denial of service attacks against the JIRA server. All versions of JIRA up to and including 5.0.0 are affected by this vulnerability. This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-27719
The Tempo and Gliffy for JIRA plugins are also vulnerable to this exploit. If you are using these plugins with any version of JIRA, you will need to upgrade them (see 'Fix' section below) or disable them.
Risk Mitigation -- We recommend that you upgrade your JIRA installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately, you should disable public access (such as anonymous access and public signup) to your JIRA installation until you have applied the necessary patch or upgraded.
Fix
* Upgrade (recommended) --
1. Upgrade to JIRA 5.0.1 or later which fixes this vulnerability. For a full description of this release, see
http://confluence.atlassian.com/display/JIRA/JIRA+5.0.1+Release+Notes. You can download this version of JIRA from the download centre:
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa
2. Upgrade the following JIRA third-party plugins, if you are using them. The list below describes which version of the plugin you should upgrade to, depending on your JIRA version. See
http://confluence.atlassian.com/display/JIRA/Managing+JIRA%27s+Plugins for instructions on how to upgrade a plugin. In general, you should upgrade these plugins to the latest available version compatible with your version of JIRA.
** JIRA 5.0 -- Gliffy plugin for JIRA 3.7.1, Tempo 7.0.3
** JIRA 4.4 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.5.1
** JIRA 4.3 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.4.3.1
** JIRA 4.2 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.4.3.1
* Patches (not recommended) --
We recommend patching only when you can neither upgrade nor apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per
http://confluence.atlassian.com/display/JIRA/Security+Patch+Policy), as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of JIRA, you must do all of the following steps to fix the vulnerability described in this security advisory.
1. Download the patch file for your version of JIRA. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first.
** JIRA 4.4.5 --
http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-27719-4.4.5-atlassian-bundled-plugins.zip
** JIRA 4.3.4 --
http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-27719-4.3.4-atlassian-bundled-plugins.zip
** JIRA 4.2.4 --
http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-27719-4.2.4-atlassian-bundled-plugins.zip
** JIRA 4.1.2 --
http://www.atlassian.com/software/jira/downloads/binary/patch-JRA-27719-4.1.2-atlassian-bundled-plugins.zip
2. Update the following files in your JIRA installation, as described below.
** JIRA:
**a. Shut down JIRA.
**b. Replace $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/atlassian-bundled-plugins.zip with the patch file downloaded in Step 1 above.
**c. Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
**d. Restart JIRA.
** JIRA WAR:
**a. Replace $JIRA_WAR_INSTALL/webapp/WEB-INF/classes/atlassian-bundled-plugins.zip with the patch file downloaded in Step 1 above.
**b. Regenerate the WAR file.
**c. Shut down JIRA.
**d. Install the new WAR you generated.
**e. Delete the $JIRA_HOME/plugins/.bundled-plugins directory.
**f. Restart JIRA.
3. Upgrade the following JIRA third-party plugins, if you are using them. The table below describes which version of the plugin you should upgrade to, depending on your JIRA version. See
http://confluence.atlassian.com/display/JIRA/Managing+JIRA%27s+Plugins for instructions on how to upgrade a plugin. In general, you should upgrade these plugins to the latest available version compatible with your version of JIRA.
** JIRA 5.0 -- Gliffy plugin for JIRA 3.7.1, Tempo 7.0.3
** JIRA 4.4 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.5.1
** JIRA 4.3 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.4.3.1
** JIRA 4.2 -- Gliffy plugin for JIRA 3.7.1, Tempo 6.4.3.1
Securely yours,
Atlassian