Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 8.12.0, 8.9.2, 8.11.1, 8.10.2
Affects Version/s: 8.10.0, 8.9.1
Component/s: Mobile
Labels:
- l1l2
- lts-blocker
- lts813

Introduced in Version:
8.09
Support reference count:
12
Symptom Severity:
Severity 1 - Critical
UIS:
115
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

The Jira Server mobile app cannot connect to Jira when the bug ~~JRASERVER-71175~~ is mitigated.

~~JRASERVER-71175~~ is mitigated by either being on a version of Jira where the bug is fixed ('Fix Version/s") or by implementing the workaround dark feature, jira.redirect.anonymous.404.errors.enabled

Steps to Reproduce

Install Jira 8.9.1
Configure the correct base URL
Attempt to connect the Jira mobile app to it.

Expected Results

The app connects uneventfully.

Testing the server-info endpoint via curl reveals:

➜ curl --head http://localhost:8854/j854/server-info
HTTP/1.1 404 
X-AREQUESTID: 680x587x1
X-ANODEID: node1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
mobile-plugin-enabled: true
push-notification-enabled: true
instance-name: Jira
jira-base-url: http://localhost:8854/j854
is-data-center: true
X-ASEN: SEN-500
Set-Cookie: atlassian.xsrf.token=BJLD-I2E2-XZYV-WCHE_4aad390c48c897ed4dc1f0e40ac71645357519ab_lout; Path=/j854
X-AUSERNAME: anonymous
Set-Cookie: JSESSIONID=828ADE16F7C117ADFD54DAB9DCCD37EF; Path=/j854; HttpOnly
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 30 Jun 2020 01:20:18 GMT

Actual Results

A message indicating "Can't connect to your site" is shown on Android and "Can't check compatibility" on iOS

Testing the server-info endpoint via curl reveals:
Example 1: Jira 8.5.4, with dark feature jira.redirect.anonymous.404.errors.enabled

➜ curl --head http://localhost:8854/j854/server-info
curl: (7) Failed to connect to localhost port 8854: Connection refused

Example 2: Jira 8.9.1

➜ curl --head http://localhost:8080/server-info
HTTP/1.1 503
X-AREQUESTID: 405x9x1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
mobile-plugin-enabled: true
push-notification-enabled: true
instance-name: Jira
jira-base-url: http://localhost:8080
is-data-center: false
new-create-metadata-api: true
X-ASEN: SEN-500
Retry-After: 30
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 30 Jun 2020 06:45:22 GMT
Connection: close

Workaround

The issue is related to a security fix and as a temporary solution this can be disabled by

adding the dark feature flag jira.redirect.anonymous.404.errors.disabled, and,
removing, if present, the dark feature flag jira.redirect.anonymous.404.errors.enabled

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

image-2020-06-24-18-11-30-207.png
202 kB
24/Jun/2020 10:11 AM
image-2020-06-24-18-11-48-487.png
355 kB
24/Jun/2020 10:11 AM

Issue Links

is caused by

JRASERVER-71175 Information disclosure in Login - CVE-2020-4028

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Rene C. [Atlassian Cloud Support]

Votes:: 6 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 24/Jun/2020 10:19 AM

Updated:: 31/Mar/2022 2:32 PM

Resolved:: 18/Aug/2020 1:45 PM