A critical security vulnerability for Jira Service Management and Insight Asset Management (Remote Code Execution vulnerability) has just been released
This advisory discloses a critical severity security vulnerability in versions of the Insight - Asset Management app prior to 8.9.3. This app is bundled with Jira Service Management Data Center (known as Jira Service Desk prior to 4.14) from version 4.15.0 onwards. All versions of Jira Service Management Data Center >= 4.15.0 and < 4.20 are impacted. Affected versions of the Insight - Asset Management app and Jira Service Management Data Center are listed in the table above (see Affected Versions)
Summary |
CVE-2018-10054 - Remote Code Execution through Insight - Asset Management |
Advisory release date |
20th Oct 2021 10 AM PDT (Pacific Time, -7 hours) |
Product |
Jira Service Management Cloud customers are not affected. |
Affected versions |
Insight - Asset Management version:
Jira Service Management Data Center version:
|
Fixed versions - Insight - Asset Management Marketplace App |
8.9.3 |
Fixed versions - Jira Service Management Data Center |
4.20.0 |
CVE ID(s) |
Please note:
Jira Service Management Cloud customers are not impacted by this.
Customers who have upgraded to Jira Service Management version 4.20.0 and Insight - Asset Management app version 8.9.3 or above are not affected.
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.
The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:
The user must be an authenticated Jira user AND
Either of the following privileges within Insight - Asset Management:
user or group permission to “Insight administrator"
user or group permission to “Object Schema Manager”
Fix
We have taken the following steps to address this issue:
Released versions 4.20.0 of Jira Service Management Data Center and 8.9.3 of the Insight - Asset Management app, which disables the import feature from making a connection to any H2 DB.
Atlassian recommends that you upgrade to the latest fix version but if you can’t, you should follow the mitigation steps. For a full description of the latest version of Jira Service Management and Insight - Asset Management, see the Jira Service Management release notes.
Upgrade
For Jira Service Management Data Center version 4.15.0 and greater, upgrade to 4.20.0 by downloading this version from our software downloads page.
For the following, you will need to upgrade the Insight - Asset Management app to version 8.9.3 (which disables the connection to any H2 DB) by downloading it from the Atlassian Marketplace.
Jira Service Management Data Center versions prior to version 4.15.0,
Jira Core (Server/Data Center),
Jira Software (Server/Data Center)
Consider compatibility with Jira as well. The fix version (8.9.3) of the app is compatible with:
App. version |
Compatibility |
8.9.3 |
Server
Data Center
|
---|
If you're running any other version, you must first upgrade to a version that is compatible with the 8.9.3 app (read our security bug fix policy for details). For example, if you're running Jira version 8.7.2 with the Insight - Asset Management app version 8.4.1, you must first upgrade to Jira version 8.12.0 or greater to be able to install the Insight - Asset Management app version 8.9.3. If you can’t upgrade immediately, follow the mitigation steps below.
If you’re unable to upgrade to the latest version immediately, then as a temporary workaround, you can mitigate the issue by deleting the H2 JAR file that comes with Jira installation.
The mitigation steps below will prevent any instances currently using H2 from starting up. You must migrate from the H2 database to any of the other supported database types prior to implementing the mitigation steps in order to keep using the instance.
H2 databases have never been supported in production environments.
For guidance on how to migrate databases see Switching databases | Administering Jira applications Data Center and Server 8.19 | Atlassian Documentation.
To remove the H2 JAR file:
Shut down Jira
Go to <Jira-Installation-Directory>/atlassian-jira/WEB-INF/lib/
Locate the h2-1.4.XYZ.jar
file and delete it (where “XYZ” is a placeholder for the version of the file, e.g. h2-1.4.200.jar
)
Start Jira again
Server
Jira Core Server 8.12.0 - 8.20
Jira Software Server 8.12.0 - 8.20
Jira Service Management Server 4.12 - 4.20
Data Center
Jira Core Data Center 8.12.0 - 8.20
Jira Software Data Center 8.12.0 - 8.20
Jira Service Desk Data Center 4.12 - 4.14
If you have questions or concerns regarding this advisory and assistance upgrading, contact the GLiNTECH team or your Account Manager. Alternatively, you can raise a support request through Atlassian.
GLiNTECH specialises in helping customers with their Atlassian tools.
As Atlassian Platinum partners we can assist you in all aspects of upgrading Confluence and ensuring this issue doesn't affect you.
We bring best practice experience and change management know-how to make sure your users experience minimum disruption.