Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72660

Remote code execution in workflow import - CVE-2017-18113

XMLWordPrintable

    • 8.3
    • High
    • CVE-2017-18113

      The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability which allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.

      To disable the protection in Jira 8.18.1 and above administrators can enable the dark feature flag: com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled.

      Note

      Workaround for the vulnerability is available in Jira from version 8.5.19 (for 8.5.x) and from 8.13.11 (for 8.13.x).

      To enable protection in Jira 8.5.19+ and  8.13.11+ administrators can enable the dark feature flag:
      com.atlassian.jira.security.LegacyJiraTypeResolver.block.unknown.functions.enabled

            [JRASERVER-72660] Remote code execution in workflow import - CVE-2017-18113

            Manuel added a comment -

            WIll i need to remove the workaround during later upgrades to a version where the fix is included?

            Manuel added a comment - WIll i need to remove the workaround during later upgrades to a version where the fix is included?

            Ryan Brailey added a comment -

            cc46c2112a1e For another customer I worked with who also reported this, it was determined that there is still some code present that could be triggering a vulnerability scanner but the actual execution is blocked (so the instance is not vulnerable). I ascertained information that a full fix that removes vulnerable code will be released in 8.18.1 and later versions.

            Ryan Brailey added a comment - cc46c2112a1e For another customer I worked with who also reported this, it was determined that there is still some code present that could be triggering a vulnerability scanner but the actual execution is blocked (so the instance is not vulnerable). I ascertained information that a full fix that removes vulnerable code will be released in 8.18.1 and later versions.

            Emily Lv added a comment -

            Our security scan still report the vulnerability found 

            Emily Lv added a comment - Our security scan still report the vulnerability found 

            msilberman@arlo.com added a comment -

            Emily Lv do you have more details to support it is still penetrable when the work around is deployed?

            Atlassian support have you engaged a third party to validate the fix and the work around?

            Are there any test results available to confirm the vulnerability is fixed?

            msilberman@arlo.com added a comment - Emily Lv do you have more details to support it is still penetrable when the work around is deployed? Atlassian support have you engaged a third party to validate the fix and the work around? Are there any test results available to confirm the vulnerability is fixed?

            Emily Lv added a comment -

            The workaround in 8.13.11 is not working .

            Emily Lv added a comment - The workaround in 8.13.11 is not working .

            msilberman@arlo.com added a comment -

            What issue identifies the work around issues were resolved in 8.13.11?

            msilberman@arlo.com added a comment - What issue identifies the work around issues were resolved in 8.13.11?

            SURESH CHINNATHAMBI added a comment -

            Hi Pawel,

            If we installed the latest Jira version of 8.19.0 is suffice to remediate this vulnerability and no need to add the above 2 dark features right? . So please confirm

            SURESH CHINNATHAMBI added a comment - Hi Pawel, If we installed the latest Jira version of 8.19.0 is suffice to remediate this vulnerability and no need to add the above 2 dark features right? . So please confirm

            sannidhi added a comment -

            Hi Team,

            Could you please confirm which dark feature we need to update for 8.19.0?

            sannidhi added a comment - Hi Team, Could you please confirm which dark feature we need to update for 8.19.0?

            msilberman@arlo.com added a comment -

            Where are the download link and release notes for 8.13.11?

            msilberman@arlo.com added a comment - Where are the download link and release notes for 8.13.11?

            SURESH CHINNATHAMBI added a comment -

            Hi Pawel, Thanks for the confirmation !

            SURESH CHINNATHAMBI added a comment - Hi Pawel, Thanks for the confirmation !

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              39 Start watching this issue

                Created:
                Updated:
                Resolved: