Dear customers,
We are writing to inform you of newly-discovered security vulnerabilities that we have found in JIRA and fixed in a recent version of JIRA.
* Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security advisory ***
*Privilege escalation vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as Critical, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a privilege escalation vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass administrator-only authorization controls via specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. As a result, the attacker will be able to execute a large number of administrative actions. This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6. This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-29403
Risk Mitigation -- If you cannot upgrade immediately, you can disable public access to your JIRA instance. You can also turn on Secure Administrator sessions (also known as WebSudo) which will significantly reduce the number of actions available to an attacker. WebSudo does not completely mitigate this vulnerability, as it does not protect non-administrative actions.
Fix --
* Upgrade (recommended) -- The vulnerability and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.0.7 or later. For a full description of the latest version of JIRA, see the release notes:
http://confluence.atlassian.com/display/JIRA/Production+Releases. You can download the latest version of JIRA from the download centre:
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa. If you cannot upgrade to the latest version of JIRA, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
* Patches (not recommended)
** JIRA 4.3.4 --
https://jira.atlassian.com/secure/attachment/70013/JRA-29403-4.3.4-patch.zip (Instructions:
https://jira.atlassian.com/secure/attachment/70011/JRA-29403-4.3.4-patch-instructions.txt)
** JIRA 4.4.5 --
https://jira.atlassian.com/secure/attachment/70016/JRA-29403-4.4.5-patch.zip (Instructions:
https://jira.atlassian.com/secure/attachment/70014/JRA-29403-4.4.5-patch-instructions.txt)
** JIRA 5.0.6 --
https://jira.atlassian.com/secure/attachment/70019/JRA-29403-5.0.6-patch.zip (Instructions:
https://jira.atlassian.com/secure/attachment/70017/JRA-29403-5.0.6-patch-instructions.txt)
*XSS Vulnerabilities*
Severity -- Atlassian rates the severity level of these vulnerabilities as High, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity.
Description -- We have identified and fixed nine cross-site scripting (XSS) vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at
http://www.cgisecurity.com/articles/xss-faq.shtml, http://projects.webappsec.org/Cross-Site+Scripting and other places on the web. These vulnerabilities affects JIRA 4.2 and above, and have been fixed in JIRA 5.1.1. This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-29402
Risk Mitigation -- We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.
Fix -- The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1.1 or later. For a full description of the latest version of JIRA, see the release notes:
http://confluence.atlassian.com/display/JIRA/Production+Releases. You can download the latest version of JIRA from the download centre:
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa. Patches are not available for this vulnerability.
Our thanks to Nils Juenemann who reported three of the XSS vulnerabilities mentioned in this section. Our thanks also to Conrad Rolack and Brandon Sterne who each reported one XSS vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
*XSRF Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.
Description -- We have identified and fixed a cross-site request forgery (XSRF) vulnerability that affects JIRA instances, including publicly available instances (that is, Internet-facing servers). This XSRF vulnerability relates to commenting on issues. An attacker might take advantage of the vulnerability to make other users post issue comments of his choice. You can read more about XSRF attacks at
http://www.cgisecurity.com/csrf-faq.html and other places on the web. This vulnerability affects JIRA 4.2 and above, and has been fixed in JIRA 5.1. This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-29401
Risk Mitigation -- We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.
Fix -- The vulnerability and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the release notes:
http://confluence.atlassian.com/display/JIRA/Production+Releases. You can download the latest version of JIRA from the download centre:
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa. Patches are not available for this vulnerability.
Our thanks to Joao Paulo Lins of Tempest Security Intelligence, who reported the XSRF vulnerability mentioned in this section. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
*Open Redirect Vulnerabilities*
Severity -- Atlassian rates the severity level of these vulnerabilities as Medium, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability
to your own IT environment. These vulnerabilities are not of Critical severity.
Description -- We have identified and fixed two open redirect vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on the URL will be redirected to a different web site. This can be used for phishing. You can read more about link manipulation attacks at
https://secure.wikimedia.org/wikipedia/en/wiki/Phishing#Link_manipulation, and about phishing at
http://www.fraud.org/tips/internet/phishing.htm and other places on the web. These vulnerabilities affect JIRA 4.3.3 and above, and have been fixed in JIRA 5.1.1.
This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-29400
Risk Mitigation -- We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.
Fix -- The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to JIRA 5.1 or later. For a full description of the latest version of JIRA, see the release notes:
http://confluence.atlassian.com/display/JIRA/Production+Releases. You can download the latest version of JIRA from the download centre:
http://www.atlassian.com/software/jira/JIRADownloadCenter.jspa. Patches are not available for this vulnerability.
Our thanks to Joao Paulo Lins of Tempest Security Intelligence, who reported one of the open redirect vulnerabilities mentioned in this section. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Kind regards,
Atlassian
