-
Bug
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
8.21.0, 8.13.15, 8.20.3, 8.22.0, 8.13.18, 8.20.7, 8.20.8, 8.13.22
-
8.13
-
59
-
Severity 2 - Major
-
1,623
-
Issue Summary
XSRF checks were added to the endpoint /rest/collectors/1.0/template/custom as part of the fix for JRASERVER-73068
The server receives requests from the same origin, as the form page is the same origin as the form submission, thus, the XSRF HTTP header matches, which is fine.
However for the XSRF check to succeed, the form token and cookie token sent to the server must match. The problem occurs because modern web browser (beginning Chrome 80+) do not accept the atlassian.xsrf.cookie initially sent by the server in an iframe as it is treated as cross-site and is therefore rejected. This is because the cookie does not have the Same-Site:None attribute set (see JRASERVER-70494).
Steps to Reproduce
- Create a Jira 8.20.3, a sample SCRUM project, and an issue collector (custom type)
- Insert the sample code into a html page on the same site (for testing local, JIRA_INSTALL/atlassian-jira/static-assets/test.html is fine)
- Load the page (eg http://JUPITER/static-assets/test.html), and submit an issue with the collector. Note that the POST to /rest/collectors/1.0/template/custom succeeds
- Insert the sample code into a html page on your local machine (differing origin), and load it in your browser
Expected Results
The issue submission succeeds
Actual Results
- The POST to /rest/collectors/1.0/template/custom is rejected with HTTP 404 and body "XSRF check failed"
- Error is presented to the client
Oops - something went wrong...
There was a problem submitting your feedback, likely due to the configuration of this form. You might want to contact the site owner to let them know about this issue
When enabling Jira Admin -> System -> Logging and Profiling -> HTTP Access log (ON) -> HTTP Dump Log (ON), the response from the client can be observed in JIRA_HOME/log/atlassian-jira-http-dump.log. Observe that the client does not sent the XSRF token in the cookie, as the browser rejected storing it
Workaround
The following workaround will disable XSRF checks for the issue collector, which was the behaviour prior to JRASERVER-73068. This may be tolerable for you, but it's worthwhile confirming within your organisation
Modify the reverse proxy / load balancer / WAF to add the following header to the request as it makes it's way to the Jira node:
- Condition: Method: POST
- Condition: Request URL: /rest/collectors/1.0/template/custom/*
- Action: Add header: X-Atlassian-Token: no-check
Note on fix
We've added "SameSite=None" parameter to xsrftoken, which is on by default.
Please note 
: fix works only if connection is secure, issue collector needs to access Jira through https protocol. If it is not, collector works properly only on firefox.
Unfortunately we can't omit this restriction, because that's how cookies are handled on chrome, opera etc. and they don't allow setting SameSite=None parameter to cookies if connection is not secure.
Note that the reverse proxy needs to allow the SameSite cookie (SameSite="none") and the secure="true" attribute needs to be present in the Tomcat connector (server.xml). This is required so that the HTTP response sets the cookie parameters correctly.
- is caused by
-
JRASERVER-73068 Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942
-
- Published
-
- is related to
-
-
- Closed
-
-
-
- Gathering Impact
-
-
JRASERVER-70471 Implement SameSite policy support
- Gathering Interest
-
RAID-2850 You do not have permission to view this issue
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- relates to
-
[JRASERVER-73212] Submitting an issue collector on a non-same origin site results in HTTP 404
Hey 76501d8a32d5
We don't see a lot of new requests since problem was fixed, so I guess there is new a new different problem in your case.
Can you please open a support request so our team can work on this problem together with you?
Thank you.
Regards,
Andriy | SET
@Andriy Yakovlev [Atlassian]
@Greg Rowinski
Hello, do you have any news? Issue still not fixed and not reopen.
Applied the workaround to our load balancer and now 8.20.11 is working again.
Hi all, this was eventually resolved for us by making a change on the proxy server, to allow the SameSite cookie. This in addition to upgrading was the fix.
I actually would like to know what the fix is as my current LTR version 8.20.10 has this issue.
Is this issue really resolved? Is there an area where I can allow certain trusted domains to submit issues via collectors? Both sites are https and I get the same result. My JiraServer is behind an nginx reverse proxy. I'm on Jira 8.22.4 which is listed as fixed.
Update: I guess I didn't wait long enough because it suddenly started working again. 
If you still face the symptoms in fix versions, please make sure to
- use HTTPS
- if you use Easy SSO, try disabling it (we've seen Easy SSO 4.6.7 causing issue collector trouble at Jira 8.22.4)
- have not disabled `com.atlassian.jira.use.same.site.none.for.xsrf.token.cookie` dark feature flag (it's enabled by default, but can be disabled by admin - https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html)
- check the load balancer or proxy config, so that it does not affect the `atlassian.xsrf.token` cookie. You can test if this is the root cause by bypassing the proxy
The cookie header received by your browser from Jira should read
Set-Cookie: atlassian.xsrf.token=<cryptic-string-here>; Path=/; Secure; SameSite=None
(one can use browser's dev tools to peek at cookie headers)
Still broken in v9.12.6