-
Bug
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
4.2.4, 6.2.7
-
4.02
-
Severity 1 - Critical
-
| Affected Versions |
|---|
| 4.2.4 <= version < 6.3.0 |
An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA.
For additional details see the full advisory.
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[JRASERVER-64077] Multiple Vulnerabilities in JIRA Workflow Servlet
Thanks in advance,
I know I should upgrade it to 7.x or later, but let me check the boundary of the versions.
6.3.0 is affected or not affected?
https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html
All versions of JIRA Server up to and including 6.3.0 are affected by this vulnerability.
This issue can be tracked here:JRA-64077- Multiple Vulnerabilities in JIRA Workflow Servlet Resolved
Hi everyone,
Thank you for reaching out!
matt.doar - this issue was fixed in all versions >= 6.3.0 - I have updated the description of the issue to make that more prominent in the ticket. Please see below for the best course of action.
confluence24 - Without 100% knowing the setup I can't say for sure, however it is possible that you could still be vulnerable. Please see below for the best course of action.
dsztainberg - The only supported solution is to upgrade JIRA to a non-vulnerable version.
However the 'JIRA Workflow Designer Plugin' can be disabled in the addon's section of JIRA which reportedly fixes this issue without the need to upgrade - However please note that this is not a supported solution and the impact of doing this has not been fully tested.
Please see below for the best course of action.
Best Course of Action:
The best course of action is to upgrade to a version of JIRA >= 6.3.0 - please note that 6.3 is now EOL and out of the support window, and JIRA Server 6.4 reaches its Atlassian Support end of life date on March 17, 2017, so we recommend upgrading to a version of JIRA Software (7.0 or later). For more information on the end of support and the upgrade process, see these resources:
- End of Support for JIRA 6.4 (blog)
- Upgrading from JIRA 6.x: What you need to know (webinar)
- Atlassian Migration Hub
What's the fix to apply if I can't upgrade my JIRA 6.1.5 in the short term?
If we have anonymous access turned off, in other words, all users of our JIRA instance log in before use, does this security vulnerability affect us? Filed also as Atlassian support case GHS-74934.**
CIT Commercial Applications
added a comment - - edited If we have anonymous access turned off, in other words, all users of our JIRA instance log in before use, does this security vulnerability affect us? Filed also as Atlassian support case GHS-74934.** Was this fixed in a security release or patch? I can't find one listed for it. Nothing related at http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jira either
CVSS v3 score: 10.0 => Critical severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | None |
|---|---|
| Integrity | High |
| Availability | High |
See http://go.atlassian.com/cvss for more details.
Hi Matthew,
Thank you for update !!
I'll share it with our customers.