Details
-
Suggestion
-
Resolution: Unresolved
-
None
Description
Summary
Jira instance and addons generating outbound requests such as to marketplace.atlassian.com, also to other sites and web services. The purpose of this report is to document this behaviour and help to explain it when this inquiry is made about application security.
Steps to Reproduce
Set up firewall with logging
In this case firewalld commands were used to log and block all outbound packets generated from the Jira instance. Care was taken to allow established connections and all connections to database and other services needed locally (dns, etc.). The logging allowed the capture of all the hosts to which Jira tried to connect.
Create issues and edit them
Expected Results
Jira will access the Marketplace on various AWS IP addresses. This is the only type of outbound request that is documented widely for self-hosted instances.
Actual Results
Many other sites were requested from Jira (I captured about a dozen other addresses) , more specifically as a result of using addons. In particular, the Mobile for Jira addon made requests to an IP address belonging to Google (referenced as a googleapis host) when adding comments. Blocking this address results in being unable to comment on issues.
Nov 25 10:26:25 xxxx kernel: [108880.580219] [UFW BLOCK] IN= OUT=ens3 src=192.168.xxx.xxx DST=172.217.21.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23291 DF PROTO=TCP SPT=37454 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
yyyyyy@xxxx:~/ufw$ host 172.217.xx.yy
10.21.217.172.in-addr.arpa domain name pointer muc11s13-in-f10.1e100.net.
10.21.217.172.in-addr.arpa domain name pointer fra07s29-in-f10.1e100.net.
10.21.217.172.in-addr.arpa domain name pointer muc11s13-in-f10.1e100.net.
10.21.217.172.in-addr.arpa domain name pointer fra07s29-in-f10.1e100.net.
Notes
I have confirmed some of the IP addresses on which outbound requests were made while using these Jira plugins:
- Epic Sum Up - Light
- ICS Issue Calendar Sync for JIRA
- JIRA Timesheet Report and Gadets Plugin
- JIRA Vote for Comments
- Mobile for JIRA
- Stateoscope
- timereports
112.8.69.129.in-addr.arpa. 3576 IN PTR ftp.uni-stuttgart.de.
189.31.211.131.in-addr.arpa. 3600 IN PTR science-vs14.science.uu.nl.
70.16.197.158.in-addr.arpa. 14400 IN PTR ftp.upjs.sk.
3.53.20.185.in-addr.arpa. 300 IN PTR mirror.sax.uk.as61049.net.
2.28.219.193.in-addr.arpa. 86400 IN PTR SunSITE.icm.edu.pl.
216.205.157.213.in-addr.arpa. 86377 IN PTR host-213-157-205-216.customer.co.ge.
131.223.13.31.in-addr.arpa. 86378 IN PTR mirrors.neterra.net.
151.204.147.31.in-addr.arpa. 14400 IN PTR inf2.uniri.hr.
85.177.193.31.in-addr.arpa. 3600 IN PTR mirror.nucleus.be.
210.222.229.54.in-addr.arpa. 28 IN PTR mail.thefrown.net.
252.45.83.5.in-addr.arpa. 21579 IN PTR mirrors.nxthost.com.
198.224.84.80.in-addr.arpa. 3580 IN PTR mirror.proserve.nl.
65.147.98.83.in-addr.arpa. 14400 IN PTR hosted-by.spango.com.
228.34.116.84.in-addr.arpa. 1781 IN PTR mirror.inode.at.
102.52.198.88.in-addr.arpa. 86382 IN PTR mirror.daniel-jost.net.
209.89.211.95.in-addr.arpa. 86382 IN PTR mirrors.supportex.net.