Jira Service Desk Security Advisory 2019-11-06
Jira Service Desk Server and Jira Service Desk Data Center - Authorization Bypass allows information disclosure - CVE-2019-15003
| Summary | CVE-2019-15003 - Authorization bypass allows information disclosure & CVE-2019-15004 - URL path traversal allows information disclosure |
|---|---|
| Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
| Product | Jira Service Desk Server and Jira Service Desk Data Center This does not affect Jira Service Desk Cloud. This does not affect Jira Core or Jira Software on instances where Jira Service Desk is not installed. |
Affected Jira Service Desk Server and |
|
Fixed Jira Service Desk Versions |
|
| CVE ID(s) | CVE-2019-15003, CVE-2019-15004 |
Summary of Vulnerability
This advisory discloses two critical severity security vulnerabilities (CVE-2019-15003 and CVE-2019-15004) in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.17, from 3.10.0 before 3.16.11, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1 are affected by these vulnerabilities.
Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which does not have the issue described on this page.
Customers who have upgraded Jira Service Desk Server & Jira Service Desk Data Center to versions 3.9.17, 3.16.11, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.
Customers who have downloaded and installed Jira Service Desk Server & Jira Service Desk Data Center versions:
- All versions before 3.9.17
- 3.10.x
- 3.11.x
- 3.12.x
- 3.13.x
- 3.14.x
- 3.15.x
- 3.16.x before 3.16.11 (the fixed version for 3.16.x)
- 4.0.x
- 4.1.x
- 4.2.x before 4.2.6 (the fixed version for 4.2.x)
- 4.3.x before 4.3.5 (the fixed version for 4.3.x)
- 4.4.x before 4.4.3 (the fixed version for 4.4.x)
- 4.5.x before 4.5.1 (the fixed version for 4.5.x)
Please upgrade your Jira Service Desk Server & Jira Service Desk Data Center installations immediately to fix these vulnerabilities.
Authorization bypass allows information disclosure - CVE-2019-15003
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits an authorization bypass. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.11, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected. This issue can be tracked here: https://jira.atlassian.com/browse/JSDSERVER-6590
* Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outlined in the section:
Acknowledgements
We would like to acknowledge Raphaël Arrouas for discovering this vulnerability.
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:
Block requests to Jira containing jspa, jpsx, jsp at the reverse proxy or load balance level, or
- Alternatively, configure Jira to redirect requests containing jspa, jspx, jsp to a safe URL
Add the following to the
<urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:<rule> <from>/servicedesk/.*\.jsp.*</from> <to type="temporary-redirect">/</to> </rule>- After saving the changes above, restart Jira
After upgrading Jira Service Desk this mitigation can be removed.
URL path traversal allows information disclosure - CVE-2019-15004
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.11, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected. This issue can be tracked here: https://jira.atlassian.com/browse/JSDSERVER-6589
* Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outlined in the section:
Acknowledgements
We would like to acknowledge Raphaël Arrouas for discovering this vulnerability.
Mitigation
If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:
- Block requests to Jira containing
..at the reverse proxy or load balance level, or - Alternatively, configure Jira to redirect requests containing
..to a safe URLAdd the following to the
<urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:<rule> <from>^/.*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>- After saving the changes above, restart Jira
After upgrading Jira Service Desk this mitigation can be removed.
Fix
We have released the following versions of Jira Service Desk Server & Jira Service Desk Data Center to address these issues:
- 4.5.1 can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.4.3 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.3.5 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 4.2.6 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 3.16.11 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
- 3.9.17 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update
What You Need to Do
Upgrading Jira Service Desk
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Service Desk Server & Jira Service Desk Data Center, see the Release Notes. You can download the latest version of Jira Service Desk Server & Jira Service Desk Data Center from the Download Center.
Upgrade Jira Service Desk to a version as specified below.
Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.
| If you have Jira Service Desk version... | ...then upgrade to this bugfix version: |
|---|---|
| 4.5.x | 4.5.1 |
| 4.4.x | 4.4.3 |
4.3.x | 4.3.5 |
4.2.x | 4.2.6 |
| 4.1.x | 4.5.1 (Recommended) |
| 4.0.x | 4.5.1 (Recommended) |
3.16.x | 3.16.11 |
3.9.x | 3.16.11 3.9.17 |
Older versions (before 3.9.x) | Current versions: 4.4.1 4.3.4 Enterprise releases: 4.5.1 (Recommended) 3.16.11 3.9.17 |
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to the Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
| Security Bug fix Policy | Critical security bug fixes will be backported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. |
| Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
| End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |