Admins looking after Atlassian’s Jira development and ticketing tools have a spot of patching work on their hands after the company released updates addressing two critical flaws.
Two product families are affected by the advisory:
- Jira Service Desk Server and Jira Service Desk Data Center (CVE-2019-14994), and
- Jira Server and Jira Data Center (CVE-2019-15001).
According to Atlassian’s alert, customers and employees should only be able to use Jira Service Desk to “raise requests and view issues,” such as IT tickets.
However, by exploiting the critical URL path traversal flaw in CVE-2019-14994, an attacker with access to the portal could bypass these restrictions, viewing issues and making requests relating to Jira Service, Desk projects, Jira Core projects, and Jira Software projects.
Although Atlassian has seen no evidence of exploitation, independent research by security company Tenable has found 25,000 portals that are vulnerable to this issue:
belonging to organizations in healthcare, government, education and manufacturing in the United States, Canada, Europe and Australia.
The researcher who discovered the flaw, Sam Curry, tweeted on 18 September that he plans to reveal more details of the vulnerability using a proof of concept exploit.
The other critical flaw, CVE-2019-15001, is described as an “authenticated template injection vulnerability in the Jira Importers Plugin (JIM)” through which an attacker could remotely execute code on vulnerable servers running a vulnerable version of Jira Server or Jira Data Center.
The limitation is that an attacker would need Jira Admin access, said the advisory.
The vulnerability is credited to researcher Daniil Dmitriev, who also discovered a similar server-side injection flaw in July, CVE-2019-11581.
All versions of Jira Service Desk Server and Jira Service Desk Data Center before 3.9.16, version 3.10.0 before 3.16.8, version 4.0.0 before 4.1.3, version 4.2.0 before 4.2.5, version 4.3.0 before 4.3.4, and version 4.4.0 before 4.4.1 are on the fix list.
Jira Service Desk Cloud, and Jira Core or Jira Software on servers where Jira Service Desk is not installed are not affected.
The patched versions are v3.9.16, v3.16.8, v4.1.3, v4.2.5, v4.3.4, and v4.4.1.
For Jira Server and Jira Data Center, it’s best to study the complete list published with the advisory but the issue appears to go back to version 7.0.10, released only months after the product’s launch in 2015.
As with the first flaw, Jira Service Desk Cloud, and Jira Core or Jira Software on servers not using Jira Service Desk are unaffected.
The patched versions are v7.6.16, v7.13.8, v8.1.3, v8.2.5, v8.3.4, and v8.4.
If admins are unable to upgrade immediately, Atlassian suggests the temporary workaround of blocking the PUT request to the endpoint
/rest/jira-importers-plugin/1.0/demo/create (unblocking this when the update is applied) rather than disabling the Jira Importers plugin.