- Critical bugs in Jira Service Desk and Jira Service Desk Data Center were patched by Atlassian in the latest security update.
- Out of the two flaws, one could be exploited for information disclosure, while the other allowed server-side template injection which could lead to remote code execution.
Atlassian released advisories for both these vulnerabilities that outline various details including the affected product versions, summary, and fixed product versions.
Information disclosure vulnerability
Tracked as CVE-2019-14994, the information disclosure vulnerability affected Jira Service Desk and Jira Service Desk Data Center.
- The vulnerability is a URL path traversal and was discovered by a security researcher named Sam Curry.
- Anyone with access to the Jira Desk portal can exploit the vulnerability to view all issues in all projects, including those in Jira Service Desk projects, Jira Core projects, and Jira Software projects.
- According to Satnam Narang, a researcher at Tenable, many Jira Service Desk instances are available on the public internet. These instances belong to organizations in various sectors such as healthcare, government, and manufacturing.
Remote code execution vulnerability
Tracked as CVE-2019-15001, this vulnerability affects Jira Server and Jira Data Center.
- Attackers with ‘Jira administrators’ access can exploit this vulnerability to execute remote code.
- This vulnerability was discovered by Daniil Dimitriev, a security researcher.
The solution
It is recommended that you update to the latest versions of the software available. If immediate update is not possible there are temporary solutions.
- For the information disclosure vulnerability, block requests to Jira that contain '..' at the reverse proxy or load balance level. Alternatively, you can configure Jira to redirect requests that contain '..' to a safe URL. Admins can add this rule to the ‘URLwrite’ section of "[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml":
- For the remote code execution vulnerability, you can block the PUT request for '/rest/jira-importers-plugin/1.0/demo/create' endpoint.
Publisher
/https://cystory-images.s3.amazonaws.com/shutterstock_668772514.jpg)
/https://cystory-images.s3.amazonaws.com/shutterstock_423598096.jpg)
