Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 8.14.0
Affects Version/s: 7.13.0, 8.5.0, 8.12.0
Component/s: Login
Labels:

Introduced in Version:
7.13
Support reference count:
9
Symptom Severity:
Severity 1 - Critical
UIS:
14
Bug Fix Policy:
View Atlassian Server bug fix policy
Current Status:

Hide

Atlassian Update – 21st September 2020

Hi everyone,

We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548).

This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979).

Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.
However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.
If you have any feedback regarding this change, feel free to leave us a comment.

Yours,
The Jira Server Team

Show
Atlassian Update – 21st September 2020 Hi everyone, We would like to inform you that from Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548 ). This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979 ). Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira. However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries. If you have any feedback regarding this change, feel free to leave us a comment. Yours, The Jira Server Team

Description

Putting credentials in request parameters is likely to lead to those credentials being logged in access logs.

Workaround

The following workaround is available in Jira 8.0.0 and higher versions.

If you wish to prevent users from authenticating using url parameters, specifying their username & password in url parameters, then
1. Stop Jira
2. Open <Jira-installation-directory>/WEB-INF/web.xml
3. Search for `<param-name>allowUrlParameterValue</param-name>`
4. Modify `<param-value>true</param-value>` to <param-value>false</param-value>
5. Start Jira.

Note prior to making this change we suggest checking your Jira log files for log events like the following

User "example-user" authenticated using os_password as a query parameter, this means of authentication has been deprecated.

Attachments

Issue Links

causes

JRACLOUD-65287 The the os_username parameter has been blocked but it is still used in the users onboarding notifications

Closed

is related to

JRASERVER-67979 Deprecate support for authenticating using os_username, os_password as url query parameters

Closed

relates to

SER-199 Make support for os_username and os_password as url parameters require opting in

RESOLVED

PC-12399 Loading...

SECINT-6993 Loading...

JSEV-1370 Loading...

has action: RM-11292 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(1 relates to, 1 has action, 85 mentioned in)

Activity

People

Assignee:: Pawel Cegla

Reporter:: David Black

Votes:: 7 Vote for this issue

Watchers:: 25 Start watching this issue

Dates

Due:: 24/Nov/2020

Created:: 30/May/2014 3:39 AM

Updated:: 18/Jul/2023 5:53 AM

Resolved:: 23/Nov/2020 2:39 PM