<img height="1" width="1" style="display: none" src="https://www.facebook.com/tr?id=976470819114134&amp;ev=PageView&amp;noscript=1">

Security Update - Jira, Confluence Server and Data Center




There have been recent media reports about a security vulnerability that affects Jira Server & Jira Data Center (including Jira software, Jira core and Jira Service Desk for Server and Data Center), and Confluence Server & Confluence Data Center products. If you use these products, see below for steps to address this vulnerability.

Summary of Vulnerability

Atlassian disclosed a critical severity security vulnerability that affects the following products:

Atlassian recommends that you:

  • Upgrade Jira Server & Jira Data Center to version 8.2.4 or higher. If this is not possible refer to the notes below to fix it.
  • Upgrade Confluence Server & Confluence Data Center to version 6.14.2 or higher. If this is not possible refer to the notes below to fix it.

Note that Atlassian Cloud instances have already been upgraded and are not affected by the issue described in this announcement.

Jira Server & Jira Data Center Versions (including Jira Core & Jira Software & Jira Service Desk)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published at Atlassian severity levels. This is their assessment and you should evaluate its applicability to your own IT environment.

Description of vulnerability

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:

  • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
  • an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.

In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability. This issue can be tracked here:  JRASERVER-69532 - CVE-2019-11581 - Template injection in various resources Closed


Advice to resolve this issue

Upgrade Jira

Atlassian has released the following versions of Jira Server & Jira Data Center to address this issue:


Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the release notes. You can download the latest version of Jira Server & Jira Data Center from the download center.

Recommended: Upgrade Jira Server & Jira Data Center to version 8.2.4 or higher.

If you can't upgrade to the latest version (8.2.4):


(1) If you have a current feature version (a feature version released on 10 December 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have a feature version… …then upgrade to this bugfix version:
8.0.x

8.0.3

8.1.x

8.1.2


(2) If you have a current Enterprise release version (an Enterprise release version released on 10th July 2017 or later), upgrade to the latest Enterprise release version (7.13.5).

Please note that the 7.6 Enterprise release will reach End of Life in November 2019. If you are unable to upgrade to the latest Enterprise release version (7.13.5), upgrade to 7.6.14.

If you have Enterprise release version… …then upgrade to this version:
7.6.x 7.13.5 (Recommended)7.6.14
7.13.x 7.13.5


(3) If you have an older version (a feature version released before 10 December 2018, or an Enterprise release version released before 10th July 2017), either upgrade to the latest version, or to the latest Enterprise release version (7.13.5).

If you have an older version… …then upgrade to any of these versions:

4.4.x

5.x.x

6.x.x

7.0.x

7.1.x

7.2.x

7.3.x

7.4.x

7.5.x

7.7.x

7.8.x

7.9.x

7.10.x

7.11.x

7.12.x

Current versions

8.0.3

8.1.2

8.2.3

Enterprise releases

7.6.14

7.13.5 (Recommended)


Mitigation

If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

  1. Disable the Contact Administrators Form, and block the /secure/ContactAdministrators endpoint; and
  2. Block these endpoints from being accessed:

 - /secure/admin/SendBulkMail!default.jspa ,

- /admin/SendBulkMail!default.jspa , and

 - /SendBulkMail!default.jspa .

 Note that blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users.


Blocking endpoints can be achieved by denying access in the reverse-proxy or load balancer.

After upgrading Jira, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.



Confluence Server & Confluence Data Center Versions

WebDAV vulnerability - CVE-2019-3395

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x). 

This issue can be tracked here:  CONFSERVER-57971 - SSRF via WebDAV endpoint - CVE-2019-3395 Closed

Acknowledgements

Credit for finding this vulnerability goes to Shubham Shah from Assetnote (https://assetnote.io) and Orange Tsai from DEVCORE (https://devco.re).

Widget Connector vulnerability - CVE-2019-3396

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x). 

This issue can be tracked here:  CONFSERVER-57974 - Remote code execution via Widget Connector macro - CVE-2019-3396 Closed

Acknowledgements

Credit for finding this vulnerability goes to Daniil Dmitriev (https://twitter.com/ddv_ua).

Advice to resolve this issue

Fix

We have taken the following steps to address these issues:

What you need to do

Atlassian recommends that you upgrade to the latest version (6.15.1). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes. You can download the latest version of Confluence from the Atlassian website.

If you can’t upgrade to the latest version (6.15.1):

(1) If you have a current feature version (a feature version released on 4th October 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have a feature version…

…then upgrade to this bugfix version:

6.12.0, 6.12.1, 6.12.2

6.12.3

6.14.0, 6.14.1

6.14.2

(2) If you have a current enterprise release version (an enterprise release version released on 4th April 2017 or later), upgrade to the latest version of your enterprise release version.

If you have an enterprise release version…

…then upgrade to this version:

6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11

6.6.12

6.13.0, 6.13.1, 6.13.2

6.13.3

(3) If you have an older version (a feature version released before 4th October 2018, or an enterprise release version released before 4th April 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.

If you have older version…

…then upgrade to any of these versions:

1.x.x

2.x.x

3.x.x

4.x.x

5.x.x

6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x

6.7.x, 6.8.x, 6.9.x, 6.10.x, 6.11.x

6.14.2

6.13.3

6.6.12

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to > Manage apps/add-ons select System, and disable the following system plugins in Confluence:

  • WebDAV plugin
  • Widget Connector

If you disable the Widget Connector plugin, the Widget Connector macro will not be available. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error. 

If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features such as Import from Word, and Edit in Office will not be available. Note that because WebDAV is not required to edit files from Confluence 6.11 and later, you will still be able to edit files in those versions. 

After upgrading, you will need to manually re-enable:

  • WebDAV plugin
  • Widget Connector
  • Office Connector.


Not sure how to proceed? 

GLiNTECH specialises in helping customers with their Atlassian tools.

As Atlassian Platinum partners we can assist you in all aspects of upgrading Jira and Confluence and ensuring this issue doesn't affect you.
We bring best practice experience and change management know-how to make sure your users experience minimum disruption.