[JRASERVER-70606] CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 8.7.0, 8.5.4
Affects Version/s: 8.2.4, 7.6.15
Component/s: System Administration - Others
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7.06
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Ian Ang added a comment - 25/May/2020 1:49 PM

Hi @Mateusz Marzecki, will this be fixed in Jira 7.13.x?

Ian Ang added a comment - 25/May/2020 1:49 PM Hi @Mateusz Marzecki, will this be fixed in Jira 7.13.x?

Michael Aglas added a comment - 26/Mar/2020 9:38 AM

@kevin.m.lange1086566328 how do you know it is relating to VerifySmtpServerConnection!update.jspa? where you have that info from? What I read from CVE-2019-20099 it is about VerifyPopServerConnection!add.jspa, isn't it?

I guess you refer to a workaround by doing this?
https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html?_ga=2.239264650.884767796.1585122968-216934939.1575541190

Michael Aglas added a comment - 26/Mar/2020 9:38 AM @kevin.m.lange1086566328 how do you know it is relating to VerifySmtpServerConnection!update.jspa? where you have that info from? What I read from CVE-2019-20099 it is about VerifyPopServerConnection!add.jspa, isn't it? I guess you refer to a workaround by doing this? https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html?_ga=2.239264650.884767796.1585122968-216934939.1575541190

Zan Bassi added a comment - 25/Mar/2020 1:15 PM

Hello,

Is there a patch fix for people who are unable to update large production environments immediately?

Zan Bassi added a comment - 25/Mar/2020 1:15 PM Hello, Is there a patch fix for people who are unable to update large production environments immediately?

Mateusz Marzęcki added a comment - 27/Feb/2020 11:18 AM

Rick,

we would like to deliver the value without sacrificing quality. The upcoming release is in the last - test phase, unfortunately, I am not able to point out specific dates when it will be available.

Thanks,

Mateusz

Jira Server

Mateusz Marzęcki added a comment - 27/Feb/2020 11:18 AM Rick, we would like to deliver the value without sacrificing quality. The upcoming release is in the last - test phase, unfortunately, I am not able to point out specific dates when it will be available. Thanks, Mateusz Jira Server

Rick van Twillert (TMC) added a comment - 27/Feb/2020 9:47 AM

@Mateusz Marzecki, when will Jira 8.5.4 be released?

Rick van Twillert (TMC) added a comment - 27/Feb/2020 9:47 AM @Mateusz Marzecki, when will Jira 8.5.4 be released?

Kevin Lange added a comment - 25/Feb/2020 12:24 PM

The timeline as published by Tenable (https://www.tenable.com/security/research/tra-2020-05) does not instill confidence in Atlassian Product Security nor Enterprise releases. This is a defect from early Q4 2019, and by generous measure looks like the defect was mishandled, and we're heading into Q2 2020 with no bugfix release issued for 8.5.

A workaround should have been published; block access to VerifySmtpServerConnection!update.jspa path until fix is released.

It is also very frustrating how I discover Atlassian defects from NIST/US-CERT rather from their own security announcements (or lack thereof).

Kevin Lange added a comment - 25/Feb/2020 12:24 PM The timeline as published by Tenable ( https://www.tenable.com/security/research/tra-2020-05) does not instill confidence in Atlassian Product Security nor Enterprise releases. This is a defect from early Q4 2019, and by generous measure looks like the defect was mishandled, and we're heading into Q2 2020 with no bugfix release issued for 8.5. A workaround should have been published; block access to VerifySmtpServerConnection!update.jspa path until fix is released. It is also very frustrating how I discover Atlassian defects from NIST/US-CERT rather from their own security announcements (or lack thereof).

Mateusz Marzęcki added a comment - 21/Feb/2020 2:15 PM

Adrian, Stefan, everyone,

Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon.

Thanks,

Mateusz

Jira Server

Mateusz Marzęcki added a comment - 21/Feb/2020 2:15 PM Adrian, Stefan, everyone, Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon. Thanks, Mateusz Jira Server

Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Why do we have Enterprise Releases when this problem is not fixed there?

Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM Why do we have Enterprise Releases when this problem is not fixed there?

Security Metrics Bot added a comment - 05/Feb/2020 4:03 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.7 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Security Metrics Bot added a comment - 05/Feb/2020 4:03 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 10 Start watching this issue

Created:: 05/Feb/2020 4:03 PM

Updated:: 20/Aug/2020 11:59 PM

Resolved:: 05/Feb/2020 4:48 PM

Details

Description

Attachments

Forms

Activity

[JRASERVER-70606] CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

Collapse comment: Ian Ang added a comment - 25/May/2020 1:49 PM

Expand comment: Ian Ang added a comment - 25/May/2020 1:49 PM

Collapse comment: Michael Aglas added a comment - 26/Mar/2020 9:38 AM

Expand comment: Michael Aglas added a comment - 26/Mar/2020 9:38 AM

Collapse comment: Zan Bassi added a comment - 25/Mar/2020 1:15 PM

Expand comment: Zan Bassi added a comment - 25/Mar/2020 1:15 PM

Collapse comment: Mateusz Marzęcki added a comment - 27/Feb/2020 11:18 AM

Expand comment: Mateusz Marzęcki added a comment - 27/Feb/2020 11:18 AM

Collapse comment: Rick van Twillert (TMC) added a comment - 27/Feb/2020 9:47 AM

Expand comment: Rick van Twillert (TMC) added a comment - 27/Feb/2020 9:47 AM

Collapse comment: Kevin Lange added a comment - 25/Feb/2020 12:24 PM

Expand comment: Kevin Lange added a comment - 25/Feb/2020 12:24 PM

Collapse comment: Mateusz Marzęcki added a comment - 21/Feb/2020 2:15 PM

Expand comment: Mateusz Marzęcki added a comment - 21/Feb/2020 2:15 PM

Collapse comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Expand comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Collapse comment: Security Metrics Bot added a comment - 05/Feb/2020 4:03 PM

Expand comment: Security Metrics Bot added a comment - 05/Feb/2020 4:03 PM

People

Dates