We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-38548

Remove url parameter support for os_username, os_password

    • 7.13
    • 9
    • Severity 1 - Critical
    • 14
    • Hide
      Atlassian Update – 21st September 2020

      Hi everyone,

      We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548).

      This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979).

      Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.
      However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.
      If you have any feedback regarding this change, feel free to leave us a comment.

      Yours,
      The Jira Server Team

      Show
      Atlassian Update – 21st September 2020 Hi everyone, We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see  https://jira.atlassian.com/browse/JRASERVER-38548 ). This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see  https://jira.atlassian.com/browse/JRASERVER-67979 ). Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira. However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries. If you have any feedback regarding this change, feel free to leave us a comment. Yours, The Jira Server Team

      Putting credentials in request parameters is likely to lead to those credentials being logged in access logs.

       

      Workaround

      The following workaround is available in Jira 8.0.0 and higher versions.

      If you wish to prevent users from authenticating using url parameters, specifying their username & password in url parameters, then
      1. Stop Jira
      2. Open <Jira-installation-directory>/WEB-INF/web.xml
      3. Search for `<param-name>allowUrlParameterValue</param-name>`
      4. Modify `<param-value>true</param-value>` to <param-value>false</param-value>
      5. Start Jira.

      Note prior to making this change we suggest checking your Jira log files for log events like the following

      User "example-user" authenticated using os_password as a query parameter, this means of authentication has been deprecated. 

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Jira Data Center'
            1. Jira Data Center
            2. JRASERVER-38548

            Remove url parameter support for os_username, os_password

              • 7.13
              • 9
              • Severity 1 - Critical
              • 14
              • Hide
                Atlassian Update – 21st September 2020

                Hi everyone,

                We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548).

                This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979).

                Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.
                However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.
                If you have any feedback regarding this change, feel free to leave us a comment.

                Yours,
                The Jira Server Team

                Show
                Atlassian Update – 21st September 2020 Hi everyone, We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see  https://jira.atlassian.com/browse/JRASERVER-38548 ). This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see  https://jira.atlassian.com/browse/JRASERVER-67979 ). Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira. However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries. If you have any feedback regarding this change, feel free to leave us a comment. Yours, The Jira Server Team

                Putting credentials in request parameters is likely to lead to those credentials being logged in access logs.

                 

                Workaround

                The following workaround is available in Jira 8.0.0 and higher versions.

                If you wish to prevent users from authenticating using url parameters, specifying their username & password in url parameters, then
                1. Stop Jira
                2. Open <Jira-installation-directory>/WEB-INF/web.xml
                3. Search for `<param-name>allowUrlParameterValue</param-name>`
                4. Modify `<param-value>true</param-value>` to <param-value>false</param-value>
                5. Start Jira.

                Note prior to making this change we suggest checking your Jira log files for log events like the following

                User "example-user" authenticated using os_password as a query parameter, this means of authentication has been deprecated. 

                        pcegla Pawel Cegla
                        dblack David Black
                        Votes:
                        7 Vote for this issue
                        Watchers:
                        25 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            pcegla Pawel Cegla
                            dblack David Black
                            Affected customers:
                            7 This affects my team
                            Watchers:
                            25 Start watching this issue

                              Created:
                              Updated:
                              Resolved: