Privilege escalation vulnerability when administrator access is compromised

We have identified and fixed a privilege escalation vulnerability, which may affect JIRA instances.

This vulnerability is only applicable when an attacker has gained administration access on the instance. An attacker, who has gained administrator access to a JIRA instance could set the attachment, index, or backup paths to a location within the JIRA web application directory. Once this has been done, the attacker can upload malicious code that can execute in the context of the user running the application server in which JIRA is deployed. The attacker could potentially modify JIRA's files and capture user credentials. If you have followed standard guidelines for hardening your application servers, then your instance should be less susceptible to this vulnerability.

We recommend that you apply the attached patch immediately to address these vulnerabilities.
The Instructions to apply the patch is contained within the Readme file as part of the attached zip. Please download the appropriate patch for your version of JIRA (these patches have only been tested on the point releases specified in the zip filename). If you are not on the point release that the patch is created for, it is recommended that you first upgrade to the latest point release for your version of JIRA before applying the patch.

If you are applying this patch, we also recommend you apply the patch for JRA-20994.

Further Updates
This vulnerability occurs if you have configured your attachment directory, index directory, or backup directory to locations on the filesystem such that the contents can be served by the JIRA's Tomcat (or any other) application server. For example, assume that you have a J2EE/Java Webpp being served from /opt/application. You will be vulnerable to this attack if you set the attachment, index or backup directories to:

• the webapp location - /opt/application
• any path within the webapp location e.g. /opt/application/attachments or /opt/application/a/b/attachments
• any path above the webapp location e.g. / or /opt

Please note that you should consider all web applications you have on the server. For example, if you have one application served from /opt/application, and another served from /usr/local/application, then the attachment, index and backup directories should not be set to any of: /, /opt, /opt/application and its descendents, /usr, /usr/local, /usr/local/application and its descendents.

This also affects standalone installations. For example, if you have installed JIRA 4.1 standalone at: C:\apps\jira. By default, the webapp location of jira is at C:\apps\jira\atlassian-jira. Attachment, Index and backup directories should not be set to C:\, C:\apps, C:\apps\jira, C:\apps\jira\atlassian-jira, or further descendents. However, C:\apps\jira\attachments is fine.

We strongly recommend that you check these directories in JIRA, and if you currently have attachment, backup or index directories which are vulnerable as described above, that you move those directories to locations which are un-related to your webapp locations. Please note that you will need to follow these instructions even if you have applied the attached patches.