Lucene search

K
atlassianSecurity-metrics-botATLASSIAN:JRASERVER-72566
HistoryJun 30, 2021 - 3:09 a.m.

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

2021-06-3003:09:16
security-metrics-bot
jira.atlassian.com
24

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

h3. Issue Summary

Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

[0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

[1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

[2] The default Ehcache port is 40001 but it can be configured to be on a different port, see [Installing JIRA Data Center|https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-parametersCluster.propertiesfileparameters] for more details.

Affected versions:
The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:

  • From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
  • From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
  • From version 8.14.0 before 8.17.0

The versions of Jira Service Management Data Center affected by this vulnerability are:

  • From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
  • From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
  • From version 4.14.0 before 4.17.0

h3. Fixed Versions

To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:

  • 8.5.16 that contains a fix for this issue
  • 8.13.8 that contains a fix for this issue
  • 8.17.0 that contains a fix for this issue

Jira Service Management Data Center versions:

  • 4.5.16 that contains a fix for this issue
  • 4.13.8 that contains a fix for this issue
  • 4.17.0 that contains a fix for this issue

These versions can be downloaded at:

h3. Additional details

For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for ATLASSIAN:JRASERVER-72566