Remove url parameter support for os_username, os_password

XMLWordPrintable

    • 7.13
    • 9
    • Severity 1 - Critical
    • 14
    • Hide
      Atlassian Update – 21st September 2020

      Hi everyone,

      We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548).

      This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979).

      Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.
      However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.
      If you have any feedback regarding this change, feel free to leave us a comment.

      Yours,
      The Jira Server Team

      Show
      Atlassian Update – 21st September 2020 Hi everyone, We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see  https://jira.atlassian.com/browse/JRASERVER-38548 ). This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see  https://jira.atlassian.com/browse/JRASERVER-67979 ). Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira. However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries. If you have any feedback regarding this change, feel free to leave us a comment. Yours, The Jira Server Team

      Putting credentials in request parameters is likely to lead to those credentials being logged in access logs.

       

      Workaround

      The following workaround is available in Jira 8.0.0 and higher versions.

      If you wish to prevent users from authenticating using url parameters, specifying their username & password in url parameters, then
      1. Stop Jira
      2. Open <Jira-installation-directory>/WEB-INF/web.xml
      3. Search for `<param-name>allowUrlParameterValue</param-name>`
      4. Modify `<param-value>true</param-value>` to <param-value>false</param-value>
      5. Start Jira.

      Note prior to making this change we suggest checking your Jira log files for log events like the following

      User "example-user" authenticated using os_password as a query parameter, this means of authentication has been deprecated.

              Assignee:
              Pawel Cegla
              Reporter:
              David Black
              Votes:
              7 Vote for this issue
              Watchers:
              25 Start watching this issue

                Created:
                Updated:
                Resolved: