Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72566

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

XMLWordPrintable

    • Severity 1 - Critical
    • 9.8
    • Critical
    • CVE-2020-36239

      Issue Summary

      Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

      [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

      [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

      [2] The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.

       

      Affected versions:
      The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:

      • From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
      • From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
      • From version 8.14.0 before 8.17.0

       

      The versions of Jira Service Management Data Center affected by this vulnerability are:

      • From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
      • From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
      • From version 4.14.0 before 4.17.0

      Fixed Versions

      To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:

      • 8.5.16 that contains a fix for this issue
      • 8.13.8 that contains a fix for this issue
      • 8.17.0 that contains a fix for this issue

       

      Jira Service Management Data Center versions:

      • 4.5.16 that contains a fix for this issue
      • 4.13.8 that contains a fix for this issue
      • 4.17.0 that contains a fix for this issue

       

      These versions can be downloaded at:

      Additional details

      For additional details, see the full advisory: https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html

            [JRASERVER-72566] Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

            Jaakko Sarakoski added a comment -

            Does this also affect non clustered (single node) datacenter installations? Especially server installations that have been upgraded with datacenter license?

            Jaakko Sarakoski added a comment - Does this also affect non clustered (single node) datacenter installations? Especially server installations that have been upgraded with datacenter license?

            David Black added a comment - - edited

            Hi simone.zoli114881584, Yes non-default ports are affected unless you have restricted access to the port to cluster nodes and or have upgraded to a version of Jira Data Center that makes use of a shared secret to secure Ehcache RMI communication. See https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html for more details.

            David Black added a comment - - edited Hi simone.zoli114881584 , Yes non-default ports are affected unless you have restricted access to the port to cluster nodes and or have upgraded to a version of Jira Data Center that makes use of a shared secret to secure Ehcache RMI communication. See https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html for more details.

            Simone Zoli added a comment -

            Hi Team,

            if in the cluster configuration Ehcache port are not 40001 and 40011, but i.e. 50001 and 50011, dc instances are anyway affected?

            thanks

            Simone Zoli added a comment - Hi Team, if in the cluster configuration Ehcache port are not 40001 and 40011, but i.e. 50001 and 50011, dc instances are anyway affected? thanks

            KAGITHALA BABU ANVESH added a comment -

            @Tobias Heinemann,

             

            Thanks for the information,

            Just observed.

             

            KAGITHALA BABU ANVESH added a comment - @Tobias Heinemann,   Thanks for the information, Just observed.  

            Tobias Heinemann added a comment - - edited

            I also wonder if Jira Server (not Data Center) is affected. At least I can't see any open ports 40001 and 40011.

            Edit: After carefully re-reading the Security Advisory I have found the section.

            Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected.

            Tobias Heinemann added a comment - - edited I also wonder if Jira Server (not Data Center) is affected. At least I can't see any open ports 40001 and 40011. Edit: After carefully re-reading the Security Advisory I have found the section. Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected.

            KAGITHALA BABU ANVESH added a comment -

            Hello,

             

            We using Jira server 8.5.8.

            Do we need to upgrade our Jira server to 8.5.16.

            All the documents referred to Data Center only, for the server it's not mentioned.

            Kindly let us know.

             

            Thanks,

            Anvesh

            KAGITHALA BABU ANVESH added a comment - Hello,   We using Jira server 8.5.8. Do we need to upgrade our Jira server to 8.5.16. All the documents referred to Data Center only, for the server it's not mentioned. Kindly let us know.   Thanks, Anvesh

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.8 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.8 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

              dblack David Black
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: