Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description

Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

• The user must be an authenticated Jira user AND

Either of the following privileges within Insight - Asset Management:

• user or group permission to “Insight administrator”

• user or group permission to “Object Schema Manager”

h4. Acknowledgments

The issue was discovered by l0gg via the Atlassian public bug bounty program.

Affected versions:
|Insight - Asset Management version:

• All 5.x versions
• All 6.x versions
• All 7.x versions
• All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions
• All 8.9.x versions before 8.9.3|

Jira Service Management Data Center and Server version:

• All 4.15.x versions
• All 4.16.x versions
• All 4.17.x versions
• All 4.18.x versions
• All 4.19.x versions|

Fixed versions:

Insight - Asset Management-8.9.3

Jira Service Management Data Center and Jira Service Management Server-4.20.0

Further details can be found on the [advisory page|https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html].