18
Sep
2020
Latest Security Warning for Bitbucket, Jira and Jira Service Desk
Atlassian have recently announced a security vulnerability that affects Bitbucket Server & Bitbucket Data Center, Jira Server & Jira Data Center, and Jira Service Desk & Jira Service Desk Data Center products. If you use these products, see below for steps to address this vulnerability.
Summary of Vulnerability
Atlassian disclosed a critical severity security vulnerability which affects the following products:
- Bitbucket Server & Bitbucket Data Center
- Jira Server & Jira Data Center
- Jira Service Desk & Jira Service Desk Data Center
Atlassian recommends that you:
- Upgrade Bitbucket Server & Bitbucket Data Center to version 6.6.0 or higher. If this is not possible refer to the notes below to fix.
- Upgrade Jira Server & Jira Data Center to version of 8.4.1 or higher. If this is not possible refer to the notes below to fix.
- Upgrade Jira Service Desk & Jira Service Desk Data Center to version of 4.4.1 or higher. If this is not possible refer to the notes below to fix.
Note that Atlassian Cloud instances have already been upgraded and are not affected by the issue described in this announcement.
Bitbucket Server & Bitbucket Data Center Versions
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published at Atlassian severity levels. This is their assessment and you should evaluate its applicability to your own IT environment.
Description of vulnerability
Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.
All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability.
This issue can be tracked here (currently restricted to Atlassian staff): https://jira.atlassian.com/browse/BSERV-11947
Advice to resolve this issue
Upgrade Bitbucket
Atlassian recommends that you upgrade to the latest version or version 6.6.0 or higher. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the release notes . You can download the latest version of Bitbucket Server & Bitbucket Data Center from the download center.
If you can't upgrade to the latest version:
If you have version…
…then upgrade to any of these versions
1.x, 2.x, 3.x, 4.x, 5.x
5.16.10, 6.0.10, 6.1.8, 6.2.6, 6.3.5, 6.4.3
6.5.2
6.0.x
6.0.10, 6.1.8, 6.2.6, 6.3.5, 6.4.3, 6.5.2
6.1.x
6.1.8, 6.2.6, 6.3.5, 6.4.3, 6.5.2
6.2.x
6.2.6, 6.3.5, 6.4.3, 6.5.2
6.3.x
6.3.5, 6.4.3, 6.5.2
6.4.x
6.4.3, 6.5.2
6.5.x
6.5.2
Temporary fix if upgrading to the latest version is not immediately possible
For versions of Bitbucket Server & Bitbucket Data Center >= 4.0.0, Atlassian have created a hotfix plugin which can be installed via UPM with zero system downtime. The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect the system while planning and executing an upgrade to a fixed version.
Note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of the system. For a more comprehensive fix, the system must be upgraded. The hotfix is available from https://jira.atlassian.com/browse/BSERV-11947. We have also attached the hotfix file to download here.
Jira Server & Jira Data Center Versions
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published at Atlassian severity levels. This is their assessment and you should evaluate its applicability to your own IT environment.
Description of vulnerability
There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.
This issue can be tracked here (currently restricted to Atlassian staff): https://jira.atlassian.com/browse/JRASERVER-69933
Advice to resolve this issue
Upgrade Jira
Atlassian have released the following versions of Jira Server & Jira Data Center to address this issue:
- 8.4.1 which is available for download from https://www.atlassian.com/software/jira/core/download
- 8.3.4 which is available for download from https://www.atlassian.com/software/jira/core/update
- 8.2.5 which is available for download from https://www.atlassian.com/software/jira/core/update
- 8.1.3 which is available for download from https://www.atlassian.com/software/jira/core/update
- 7.13.8 which is available for download from https://www.atlassian.com/software/jira/core/update
- 7.6.16 which is available for download from https://www.atlassian.com/software/jira/core/update
Atlassian have released the following versions of Jira Software Server to address this issue:
- 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
- 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
- 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
- 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
- 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
- 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the release notes. You can download the latest version of Jira Server & Jira Data Center from the download center.
Recommended: Upgrade Jira Server & Jira Data Center to version of 8.4.1 or higher.
(1) If you have a current feature version (a feature version released on 10 December 2018 or later), upgrade to the next bugfix version of your current feature version. If you can't upgrade to the latest version (8.4.1):
If you have feature version…
…then upgrade to this bugfix version:
8.0.x8.1.38.1.x8.1.38.2.x8.2.58.3.x8.3.4
(2) If you have a current Enterprise release version (an Enterprise release version released on 10th July 2017 or later), upgrade to the latest Enterprise release version (7.13.8).
If you have Enterprise release version…
…then upgrade to this version:
7.6.x
7.6.16, 7.13.8 (recommended)
7.13.x
7.13.8
(3) If you have an older version (a feature version released before 10 December 2018, or an Enterprise release version released before 10th July 2017), either upgrade to the latest version, or to the latest Enterprise release version (7.13.8).
If you have an older version…
…then upgrade to any of these versions:
7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x
7.5.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x
7.11.x, 7.12.x
Current versions
8.1.3
8.2.5
8.3.4
Enterprise releases
7.6.16
7.13.8
Mitigation
If you are unable to upgrade Jira immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can block PUT request to the following endpoint:
- /rest/jira-importers-plugin/1.0/demo/create
After upgrading Jira, you can unblock the endpoint.
Important Note: Do not disable the Jira Importers Plugin.
Jira Service Desk Server & Jira Service Desk Data Center Versions
Severity
This advisory discloses a critical severity security vulnerability in Jira Service Desk Server and Jira Service Desk Data Center. Versions before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.1 are affected by this vulnerability.
Note: Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which does not have the issue described on this page.
Description of vulnerability
URL path traversal allows information disclosure - CVE-2019-14994
By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by a remote attacker with portal access who exploits a path traversal vulnerability. Note that attackers can grant themselves access to Jira Service Desk projects that have the Anyone can email the service desk or raise a request in the portal setting enabled. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and 4.4.0 are affected by this vulnerability.
This issue can be tracked here: https://jira.atlassian.com/browse/JSDSERVER-6517
Advice to resolve this issue
Upgrade Jira Service Desk
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Service Desk Server & Jira Service Desk Data Center, see the Release Notes. You can download the latest version of Jira Service Desk Server & Jira Service Desk Data Center from the Download Center.
Upgrade Jira Service Desk to a version as specified below.
If you have version...
...then upgrade to this bugfix version:
4.4.04.4.1
4.3.x
4.3.4
4.2.x
4.2.5
4.1.x
4.1.3
3.16.x
3.16.8
3.9.x
3.16.8 (Recommended)
3.9.16
Older versions
Current versions:
4.4.1
4.3.4
Enterprise releases:
3.16.8 (Recommended)
3.9.16
Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.
Mitigation
If you are unable to upgrade Jira Service Desk immediately, then as a temporary workaround, you can:
- Block requests to Jira containing .. at the reverse proxy or load balancer level, or
- Alternatively, configure Jira to redirect requests containing .. to a safe URL
- Add the following to the <urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:
<rule>
<from>^/[^?]*\.\..*$</from>
<to type="temporary-redirect">/</to>
</rule>
After upgrading Jira Service Desk this mitigation can be removed.