Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-66406

Security review of outgoing requests

    XMLWordPrintable

Details

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Summary

      Jira instance and addons generating outbound requests such as to marketplace.atlassian.com, also to other sites and web services. The purpose of this report is to document this behaviour and help to explain it when this inquiry is made about application security.

      Steps to Reproduce

      Set up firewall with logging
      In this case firewalld commands were used to log and block all outbound packets generated from the Jira instance. Care was taken to allow established connections and all connections to database and other services needed locally (dns, etc.). The logging allowed the capture of all the hosts to which Jira tried to connect.

      Create issues and edit them

      Expected Results
      Jira will access the Marketplace on various AWS IP addresses. This is the only type of outbound request that is documented widely for self-hosted instances.

      Actual Results
      Many other sites were requested from Jira (I captured about a dozen other addresses) , more specifically as a result of using addons. In particular, the Mobile for Jira addon made requests to an IP address belonging to Google (referenced as a googleapis host) when adding comments. Blocking this address results in being unable to comment on issues.

      Nov 25 10:26:25 xxxx kernel: [108880.580219] [UFW BLOCK] IN= OUT=ens3 src=192.168.xxx.xxx DST=172.217.21.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23291 DF PROTO=TCP SPT=37454 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
      yyyyyy@xxxx:~/ufw$ host 172.217.xx.yy
      10.21.217.172.in-addr.arpa domain name pointer muc11s13-in-f10.1e100.net.
      10.21.217.172.in-addr.arpa domain name pointer fra07s29-in-f10.1e100.net.
      10.21.217.172.in-addr.arpa domain name pointer muc11s13-in-f10.1e100.net.
      10.21.217.172.in-addr.arpa domain name pointer fra07s29-in-f10.1e100.net.

      Notes
      I have confirmed some of the IP addresses on which outbound requests were made while using these Jira plugins:

      • Epic Sum Up - Light
      • ICS Issue Calendar Sync for JIRA
      • JIRA Timesheet Report and Gadets Plugin
      • JIRA Vote for Comments
      • Mobile for JIRA
      • Stateoscope
      • timereports

      112.8.69.129.in-addr.arpa. 3576 IN PTR ftp.uni-stuttgart.de.
      189.31.211.131.in-addr.arpa. 3600 IN PTR science-vs14.science.uu.nl.
      70.16.197.158.in-addr.arpa. 14400 IN PTR ftp.upjs.sk.
      3.53.20.185.in-addr.arpa. 300 IN PTR mirror.sax.uk.as61049.net.
      2.28.219.193.in-addr.arpa. 86400 IN PTR SunSITE.icm.edu.pl.
      216.205.157.213.in-addr.arpa. 86377 IN PTR host-213-157-205-216.customer.co.ge.
      131.223.13.31.in-addr.arpa. 86378 IN PTR mirrors.neterra.net.
      151.204.147.31.in-addr.arpa. 14400 IN PTR inf2.uniri.hr.
      85.177.193.31.in-addr.arpa. 3600 IN PTR mirror.nucleus.be.
      210.222.229.54.in-addr.arpa. 28 IN PTR mail.thefrown.net.
      252.45.83.5.in-addr.arpa. 21579 IN PTR mirrors.nxthost.com.
      198.224.84.80.in-addr.arpa. 3580 IN PTR mirror.proserve.nl.
      65.147.98.83.in-addr.arpa. 14400 IN PTR hosted-by.spango.com.
      228.34.116.84.in-addr.arpa. 1781 IN PTR mirror.inode.at.
      102.52.198.88.in-addr.arpa. 86382 IN PTR mirror.daniel-jost.net.
      209.89.211.95.in-addr.arpa. 86382 IN PTR mirrors.supportex.net.

       

      Attachments

        Activity

          People

            tbartyzel Tomasz Bartyzel
            emarghidan Eduard M
            Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: