[JRASERVER-35797] Privilege escalation

Type: Bug
Resolution: Fixed
Priority: Highest (View bug fix roadmap)
Fix Version/s: 6.1.4
Affects Version/s: None
Component/s: None
Labels:
- advisory
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

We have identified and fixed a vulnerability in JIRA which allowed unauthenticated attackers to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to JIRA web interface.

The vulnerability affects all supported versions of JIRA up to and including 6.1.3. It has been fixed in 6.1.4.

For more information, see our security advisory.

Patches are available at

JIRA 4.4.5: http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-35797-4.4.5-20140303.zip
JIRA 5.0.7: http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-35797-5.0.7-20140303.zip
JIRA 5.1.8: http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-35797-5.1.8.zip
JIRA 5.2.11: http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-35797-5.2.11-20140303.zip
JIRA 6.0.8: http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-35797-6.0.8.zip

relates to

JRACLOUD-35797 Privilege escalation

Closed

was cloned as

CONFSERVER-31628 Privilege escalation

Closed

is cloned from: TRUST-36 Failed to load

mentioned in: JIRA Security Advisory 2014-02-26; JIRA Security Advisory 2014-02-26; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(5 mentioned in)

Form Name

VitalyA added a comment - 07/Mar/2014 5:10 AM

Dear JIRA Administrator,

This was a discovery by an internal team, not an external report or a real incident in the wild. As you can see from the list of affected versions, this vulnerability existed for years. We do not have any indications of it ever having been exploited in the wild - it is a very complex issue. At the same time, a perfectly executed attack using this vulnerability would not leave any trace.

Regards,
Vitaly Osipov
Security Engineering

VitalyA added a comment - 07/Mar/2014 5:10 AM Dear JIRA Administrator, This was a discovery by an internal team, not an external report or a real incident in the wild. As you can see from the list of affected versions, this vulnerability existed for years. We do not have any indications of it ever having been exploited in the wild - it is a very complex issue. At the same time, a perfectly executed attack using this vulnerability would not leave any trace. Regards, Vitaly Osipov Security Engineering

abc-jiraadmin added a comment - 07/Mar/2014 4:25 AM

We have an onDemand service. Can you please tell me
1) how long this vulnerability existed in onDemand?
2) is there any way to determine if this vulnerability was actually exploited in onDemand?

abc-jiraadmin added a comment - 07/Mar/2014 4:25 AM We have an onDemand service. Can you please tell me 1) how long this vulnerability existed in onDemand? 2) is there any way to determine if this vulnerability was actually exploited in onDemand?

Ben Sayers added a comment - 03/Mar/2014 11:58 PM

matt.doar Each time Jira starts up the temporary folder that atlassian-bundled-plugins.zip is decompressed into is removed and the zip is decompressed again. So the extra files will be removed when you start Jira up after applying the new patch.

Ben Sayers added a comment - 03/Mar/2014 11:58 PM matt.doar Each time Jira starts up the temporary folder that atlassian-bundled-plugins.zip is decompressed into is removed and the zip is decompressed again. So the extra files will be removed when you start Jira up after applying the new patch.

MattS added a comment - 03/Mar/2014 4:31 PM

Vitaly, how do the updated patches remove the extra files? The atlassian-bundled-plugins.zip in the first patch will already have been decompressed, so won't the extra files also have been installed?

MattS added a comment - 03/Mar/2014 4:31 PM Vitaly, how do the updated patches remove the extra files? The atlassian-bundled-plugins.zip in the first patch will already have been decompressed, so won't the extra files also have been installed?

Xavier Poinsard added a comment - 03/Mar/2014 3:33 PM

If we disable remote API calls, is the system still vulnerable ?

Xavier Poinsard added a comment - 03/Mar/2014 3:33 PM If we disable remote API calls, is the system still vulnerable ?

VitalyA added a comment - 03/Mar/2014 9:14 AM - edited

shchagin Thanks for noticing, these files should not be there. Our apologies, 3 patches contained these extra SDK parts.

if you have already installed patches for 4.4.5, 5.0.7 or 5.2.11, please re-download the appropriate "20140303" versions and re-apply them, this will remove the extra files. If you have not applied the patch yet, just download the package for your version and apply it as per instructions.

Patches for 6.0.8 and 5.1.8 have not changed.

VitalyA added a comment - 03/Mar/2014 9:14 AM - edited shchagin Thanks for noticing, these files should not be there. Our apologies, 3 patches contained these extra SDK parts. if you have already installed patches for 4.4.5, 5.0.7 or 5.2.11, please re-download the appropriate "20140303" versions and re-apply them, this will remove the extra files. If you have not applied the patch yet, just download the package for your version and apply it as per instructions. Patches for 6.0.8 and 5.1.8 have not changed.

Alex Shchagin added a comment - 02/Mar/2014 1:20 PM

Hi guys,

Could you please confirm that the following files are included by purpose into the patch for 5.2.11 inside the atlassian-bundled-plugins.zip:

 aui-qunit-plugin-0.11.jar
 functest-plugin-0.3.jar
 jira-func-test-plugin-5.2.11.jar
 jira-languages-5.2.11-en_AQ.jar
 jira-testkit-plugin-5.2-m19.jar
 pdkinstall-plugin-0.2.jar
 platform-ctk-plugin-2.17.0.jar

They seem to me as a part of SDK and they are not present in the original distribution.

Alex

Alex Shchagin added a comment - 02/Mar/2014 1:20 PM Hi guys, Could you please confirm that the following files are included by purpose into the patch for 5.2.11 inside the atlassian-bundled-plugins.zip : aui-qunit-plugin-0.11.jar functest-plugin-0.3.jar jira-func-test-plugin-5.2.11.jar jira-languages-5.2.11-en_AQ.jar jira-testkit-plugin-5.2-m19.jar pdkinstall-plugin-0.2.jar platform-ctk-plugin-2.17.0.jar They seem to me as a part of SDK and they are not present in the original distribution. Alex

Hermann Schwärzler added a comment - 28/Feb/2014 7:30 AM

So the problem exists even if anonymous access is disabled.
But can you give us any details about URL-patterns or POST-payloads that are used in the exploit so that we can have a really quick workaround using mod-rewrite or mod-security?

Hermann Schwärzler added a comment - 28/Feb/2014 7:30 AM So the problem exists even if anonymous access is disabled. But can you give us any details about URL-patterns or POST-payloads that are used in the exploit so that we can have a really quick workaround using mod-rewrite or mod-security?

VitalyA added a comment - 28/Feb/2014 1:15 AM

warmfusion you are correct.

VitalyA added a comment - 28/Feb/2014 1:15 AM warmfusion you are correct.

Toby Jackson added a comment - 27/Feb/2014 7:17 PM

Based on assumptions, given that the patch files include changes to jars that are either API or SPI components, it suggests the issue relates to a compromise on the API systems and so the vulnerability is not within the UI itself and can be exploited irrespective of anonymous view configuration.

Summary: I believe based on the patch contents that the issue is exploitable on any public system, even with anonymous access disabled.

Toby Jackson added a comment - 27/Feb/2014 7:17 PM Based on assumptions, given that the patch files include changes to jars that are either API or SPI components, it suggests the issue relates to a compromise on the API systems and so the vulnerability is not within the UI itself and can be exploited irrespective of anonymous view configuration. Summary: I believe based on the patch contents that the issue is exploitable on any public system, even with anonymous access disabled.

Assignee:: Unassigned

Reporter:: Renan Battaglin

Affected customers:: 0 This affects my team

Watchers:: 32 Start watching this issue

Created:: 14/Nov/2013 4:58 AM

Updated:: 04/Feb/2021 12:04 AM

Resolved:: 15/Nov/2013 6:41 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: VitalyA added a comment - 07/Mar/2014 5:10 AM

Expand comment: VitalyA added a comment - 07/Mar/2014 5:10 AM

Collapse comment: abc-jiraadmin added a comment - 07/Mar/2014 4:25 AM

Expand comment: abc-jiraadmin added a comment - 07/Mar/2014 4:25 AM

Collapse comment: Ben Sayers added a comment - 03/Mar/2014 11:58 PM

Expand comment: Ben Sayers added a comment - 03/Mar/2014 11:58 PM

Collapse comment: MattS added a comment - 03/Mar/2014 4:31 PM

Expand comment: MattS added a comment - 03/Mar/2014 4:31 PM

Collapse comment: Xavier Poinsard added a comment - 03/Mar/2014 3:33 PM

Expand comment: Xavier Poinsard added a comment - 03/Mar/2014 3:33 PM

Collapse comment: VitalyA added a comment - 03/Mar/2014 9:14 AM, Edited by VitalyA - 03/Mar/2014 9:28 AM

Expand comment: VitalyA added a comment - 03/Mar/2014 9:14 AM, Edited by VitalyA - 03/Mar/2014 9:28 AM

Collapse comment: Alex Shchagin added a comment - 02/Mar/2014 1:20 PM

Expand comment: Alex Shchagin added a comment - 02/Mar/2014 1:20 PM

Collapse comment: Hermann Schwärzler added a comment - 28/Feb/2014 7:30 AM

Expand comment: Hermann Schwärzler added a comment - 28/Feb/2014 7:30 AM

Collapse comment: VitalyA added a comment - 28/Feb/2014 1:15 AM

Expand comment: VitalyA added a comment - 28/Feb/2014 1:15 AM

Collapse comment: Toby Jackson added a comment - 27/Feb/2014 7:17 PM

Expand comment: Toby Jackson added a comment - 27/Feb/2014 7:17 PM

People

Dates