Uploaded image for project: 'JIRA Server (including JIRA Core)'
  1. JIRA Server (including JIRA Core)
  2. JRASERVER-20995

Privilege escalation vulnerability when administrator access is compromised

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Highest
    • Resolution: Fixed
    • Affects Version/s: 3.12, 3.12.1, 3.12.2, 3.12.3, 3.13, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 4.0, 4.0.1, 4.0.2, 4.1
    • Fix Version/s: 4.1.1, 4.2
    • Component/s: None

      Description

      Note: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one.

      For more details, see JIRA Security Advisory - 2010-04-16.

      The security advisory also has details of how to determine if your JIRA installation has been compromised and another addendum on good system administration practices to protect your public JIRA installation. These additions are valuable even if you cannot apply the patch immediately.

      If you have already installed this patch, install JRA-21004 on top of this patch.

      We have identified and fixed a privilege escalation vulnerability, which may affect JIRA instances.

      This vulnerability is only applicable when an attacker has gained administration access on the instance. An attacker, who has gained administrator access to a JIRA instance could set the attachment, index, or backup paths to a location within the JIRA web application directory. Once this has been done, the attacker can upload malicious code that can execute in the context of the user running the application server in which JIRA is deployed. The attacker could potentially modify JIRA's files and capture user credentials. If you have followed standard guidelines for hardening your application servers, then your instance should be less susceptible to this vulnerability.

      We recommend that you apply the attached patch immediately to address these vulnerabilities.
      The Instructions to apply the patch is contained within the Readme file as part of the attached zip. Please download the appropriate patch for your version of JIRA (these patches have only been tested on the point releases specified in the zip filename). If you are not on the point release that the patch is created for, it is recommended that you first upgrade to the latest point release for your version of JIRA before applying the patch.

      If you are applying this patch, we also recommend you apply the patch for JRA-20994.

      Further Updates
      This vulnerability occurs if you have configured your attachment directory, index directory, or backup directory to locations on the filesystem such that the contents can be served by the JIRA's Tomcat (or any other) application server. For example, assume that you have a J2EE/Java Webpp being served from /opt/application. You will be vulnerable to this attack if you set the attachment, index or backup directories to:

      • the webapp location - /opt/application
      • any path within the webapp location e.g. /opt/application/attachments or /opt/application/a/b/attachments
      • any path above the webapp location e.g. / or /opt

      Please note that you should consider all web applications you have on the server. For example, if you have one application served from /opt/application, and another served from /usr/local/application, then the attachment, index and backup directories should not be set to any of: /, /opt, /opt/application and its descendents, /usr, /usr/local, /usr/local/application and its descendents.

      This also affects standalone installations. For example, if you have installed JIRA 4.1 standalone at: C:\apps\jira. By default, the webapp location of jira is at C:\apps\jira\atlassian-jira. Attachment, Index and backup directories should not be set to C:\, C:\apps, C:\apps\jira, C:\apps\jira\atlassian-jira, or further descendents. However, C:\apps\jira\attachments is fine.

      We strongly recommend that you check these directories in JIRA, and if you currently have attachment, backup or index directories which are vulnerable as described above, that you move those directories to locations which are un-related to your webapp locations. Please note that you will need to follow these instructions even if you have applied the attached patches.

        Attachments

        1. patch-JRA-20995-3_12_3.zip
          157 kB
        2. patch-JRA-20995-3_13_5.zip
          174 kB
        3. patch-JRA-20995-4_0_2.zip
          185 kB
        4. patch-JRA-20995-4_1.zip
          190 kB

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                edwin@atlassian.com Edwin Wong
              • Votes:
                6 Vote for this issue
                Watchers:
                22 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: