Jira Service Desk Security Advisory 2019-09-18
Jira Service Desk Server and Jira Service Desk Data Center - URL path traversal allows information disclosure - CVE-2019-14994
| Summary | CVE-2019-14994 - URL path traversal allows information disclosure |
|---|---|
| Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
| Product | Jira Service Desk Server and Jira Service Desk Data Center This does not affect Jira Service Desk Cloud. This does not affect Jira Core or Jira Software on instances where Jira Service Desk is not installed. |
Affected Jira Service Desk Server and |
|
Fixed Jira Service Desk Versions |
|
| CVE ID(s) | CVE-2019-14994 |
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.0 are affected by this vulnerability.
Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which does not have the issue described on this page.
Customers who have upgraded Jira Service Desk Server & Jira Service Desk Data Center to 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, or 4.4.1 are not affected.
Customers who have downloaded and installed Jira Service Desk Server & Jira Service Desk Data Center versions:
- All versions before 3.9.16
- 3.10.x
- 3.11.x
- 3.12.x
- 3.13.x
- 3.14.x
- 3.15.x
- 3.16.x before 3.16.8 (the fixed version for 3.16.x)
- 4.0.x
- 4.1.x before 4.1.3 (the fixed version for 4.1.x)
- 4.2.x before 4.2.5 (the fixed version for 4.2.x)
- 4.3.x before 4.3.4 (the fixed version for 4.3.x)
- 4.4.0 before 4.4.1 (the fixed version for 4.4.x)
Please upgrade your Jira Service Desk Server & Jira Service Desk Data Center installations immediately to fix this vulnerability.
URL path traversal allows information disclosure - CVE-2019-14994
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 3.2.5, from 4.3.0 before 4.3.4, and 4.4.0 are affected by this vulnerability. This issue can be tracked here: JSDSERVER-6517 - Getting issue details... STATUS
* Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outline in the section: What you need to do
Acknowledgements
We would like to acknowledge Sam Curry for finding this vulnerability.
Fix
We have released the following versions of Jira Service Desk Server & Jira Service Desk Data Center to address this issue:
- 4.4.1 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.3.4 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.2.5 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.1.3 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 3.16.8 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 3.9.16 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
What You Need to Do
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:
- Block requests to JIRA containing
..at the reverse proxy or load balance level, or - Alternatively, configure JIRA to redirect requests containing
..to a safe URLAdd the following to the
<urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:<rule> <from>^/[^?]*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>- After saving the changes above, restart Jira
After upgrading Jira Service Desk this mitigation can be removed.
Upgrading Jira Service Desk
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Service Desk Server & Jira Service Desk Data Center, see the Release Notes. You can download the latest version of Jira Service Desk Server & Jira Service Desk Data Center from the Download Center.
Upgrade Jira Service Desk to a version as specified below.
Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.
| If you have version... | ...then upgrade to this bugfix version: |
|---|---|
4.4.0 | 4.4.1 |
4.3.x | 4.3.4 |
4.2.x | 4.2.5 |
4.1.x | 4.1.3 |
3.16.x | 3.16.8 |
3.9.x | 3.16.8 (Recommended) 3.9.16 |
Older versions | Current versions: 4.4.1 4.3.4 Enterprise releases: 3.16.8 (Recommended) 3.9.16 |
Finding Evidence of Exploitation
The Jira KB contains instructions on how to determine if any attempts were made to exploit your Jira Service Desk instance.
Please note: Atlassian has no evidence that this vulnerability has been exploited in the wild.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
| Security Bug fix Policy | As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
| Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
| End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |