Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-22493

Patches for XSS / XSRF vulnerabilities

XMLWordPrintable

      We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS (Cross Site Scripting) attacks and/or Cross Site Request Forgery (XSRF) attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory 2010-11-06.

      The patches below should be applied. Please note that all Studio instances are not vulnerable at the time of this disclosure.

      Note these patches are cumulative and include the fixes that were applied in JRA-21004,

      Patches

      Version File
      3.13.5 patch-JRA-22493-3.13.5.zip
      4.0.2 patch-JRA-22493-4.0.2.zip
      4.1.2 patch-JRA-22493-4.1.2.zip
      4.2 patch-JRA22493-4.2.zip

            [JRASERVER-22493] Patches for XSS / XSRF vulnerabilities

            robk added a comment -

            Running an unzip across my Jira instances is both clunky and breaks the rpm I build to deploy and manage my Jira install. I can probably wangle a %patch in the specfile, but surely it would have been just as easy to roll an updated tar.gz of the Jira standalone install bundle? This kind f ad-hoc patching is not what I'd expect of Atlassian.

            robk added a comment - Running an unzip across my Jira instances is both clunky and breaks the rpm I build to deploy and manage my Jira install. I can probably wangle a %patch in the specfile, but surely it would have been just as easy to roll an updated tar.gz of the Jira standalone install bundle? This kind f ad-hoc patching is not what I'd expect of Atlassian.

            Julian Radünz added a comment -

            Patch for 4.2 applied. Seems to work.

            Julian Radünz added a comment - Patch for 4.2 applied. Seems to work.

            Giovanni Baroni added a comment -

            The updated 4.1.2 patch worked for me too this time.
            Patch 4.2 is working after chmod 644 the updated file.

            Thank's alot.

            Giovanni Baroni added a comment - The updated 4.1.2 patch worked for me too this time. Patch 4.2 is working after chmod 644 the updated file. Thank's alot.

            tier-0 grump added a comment -

            A patch has now been issued for Jira 4.2.

            tier-0 grump added a comment - A patch has now been issued for Jira 4.2.

            Joe Dumbra added a comment -

            @Wendell Keuneman
            @James Winters

            Much appreciated, I'l look forward to it.

            Joe Dumbra added a comment - @Wendell Keuneman @James Winters Much appreciated, I'l look forward to it.

            Kent Brodie added a comment -

            The updated 4.1.2 patch worked this time. No apparent issues.

            Kent Brodie added a comment - The updated 4.1.2 patch worked this time. No apparent issues.

            tier-0 grump added a comment -

            @Tim Kannenberg
            @Joe Dumbra
            We are creating a patch for 4.2, if you watch the issue it will appear shortly.

            tier-0 grump added a comment - @Tim Kannenberg @Joe Dumbra We are creating a patch for 4.2, if you watch the issue it will appear shortly.

            Wendell Keuneman (Inactive) added a comment -

            @Joe Dumbra

            Although not directly related to this issue, I wanted to let you know that we acknowledge the difficulties with the install and upgrade process and have a project underway to provide an improvement to the existing procedures. The scope includes both JIRA and Confluence, with the goal of reducing many of the pain points and simplifying the steps.

            Wendell Keuneman (Inactive) added a comment - @Joe Dumbra Although not directly related to this issue, I wanted to let you know that we acknowledge the difficulties with the install and upgrade process and have a project underway to provide an improvement to the existing procedures. The scope includes both JIRA and Confluence, with the goal of reducing many of the pain points and simplifying the steps.

            Kelson Ren added a comment -

            To answer some support inquiries about how to identify whether or not the patch is successfully installed.

            As long as the security patch is installed on JIRA instance successfully, you should see the below information in JIRA booting log:

            ___ Applied Patches _______________________

     JRA-22493                                     : A patch to fix problems caused by JRA-22493

            Kelson Ren added a comment - To answer some support inquiries about how to identify whether or not the patch is successfully installed. As long as the security patch is installed on JIRA instance successfully, you should see the below information in JIRA booting log: ___ Applied Patches _______________________ JRA-22493 : A patch to fix problems caused by JRA-22493

            tier-0 grump added a comment -

            The problem is that the files inside the zip do not have the correct permissions set - this has been rectified but the CDN may still be serving older files - I am trying to get the old files invalidated. The zip files should be dated 7th December. You can of course use chmod to change the files permissions back to 644 in the meantime.

            tier-0 grump added a comment - The problem is that the files inside the zip do not have the correct permissions set - this has been rectified but the CDN may still be serving older files - I am trying to get the old files invalidated. The zip files should be dated 7th December. You can of course use chmod to change the files permissions back to 644 in the meantime.

              pleschev Peter Leschev
              jwinters tier-0 grump
              Affected customers:
              0 This affects my team
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: