Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Answered
Priority: Highest
Fix Version/s: None
Affects Version/s: 8.13.22, 8.20.10, 8.20.11, 9.4.2
Component/s: Navigation - Search
Labels:
- raid

Introduced in Version:
8.13
Support reference count:
32
Symptom Severity:
Severity 1 - Critical
UIS:
543
Bug Fix Policy:
View Atlassian Server bug fix policy
Current Status:

Hide

We've investigated the issue and discovered a network/firewall block at the endpoint, likely due to an old vulnerability that was previously patched -> https://jira.atlassian.com/browse/JRASERVER-71536

We suspect that network firewall providers are still flagging this endpoint within their threat profiles. We’re contacting major firewall providers to have this resolved permanently as there is nothing in Jira to mitigate this. If you’re affected by the issue, please check with your network infrastructure team to ensure the network solution isn't blocking requests to the endpoint.

https://<base_url>/secure/QueryComponent!Default.jspa

If it is, please request that the related rule be modified or disabled in the network/firewall solution. We apologize for any inconvenience this may have caused.

Show
We've investigated the issue and discovered a network/firewall block at the endpoint, likely due to an old vulnerability that was previously patched -> https://jira.atlassian.com/browse/JRASERVER-71536 We suspect that network firewall providers are still flagging this endpoint within their threat profiles. We’re contacting major firewall providers to have this resolved permanently as there is nothing in Jira to mitigate this. If you’re affected by the issue, please check with your network infrastructure team to ensure the network solution isn't blocking requests to the endpoint. https://<base_url>/secure/QueryComponent!Default.jspa If it is, please request that the related rule be modified or disabled in the network/firewall solution. We apologize for any inconvenience this may have caused.

Description

Issue Summary

This is reproducible on Data Center: yes

Steps to Reproduce

Use Linux OS.
Jira Software DC version 8.20.10 or 9.4.2
Set up the Jira server as the proxy but no SSL in the server.xml
Upgrade Linux components.
Navigate to the Basic Search screen and attempt to select a Project from the drop-down list.

Expected Results

You are able to select the Project.

Actual Results

The below error is observed in the webpage:

The Jira server could not be contacted. This might be a temporary glitch or the server could be down.

In the Developer Tools, we see the following error:

POST https://<base_url>/secure/QueryComponent!Default.jspa net::ERR_EMPTY_RESPONSE

There is no status code, and the timing is Blocked.

Workaround

Use the Advanced Search instead as this search is not broken.
Enabling the Proxy bypass allows the component to work correctly.
Check with network/infrastructure team to confirm if a network security solution is blocking requests into QueryComponent!Default.jspa and modify/disable the related rule so they are no longer blocked.

If using Palo Alto networks, please check if they have been updates with a threat profile for CVE-2020-14179 released on 2023-01-23. If so, disable this policy.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

image-2023-02-03-18-42-28-632.png
115 kB
03/Feb/2023 1:12 PM

Issue Links

relates to

JRASERVER-71536 Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179

Gathering Impact

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(22 mentioned in)

Activity

People

Assignee:: Jakub Cegiel

Reporter:: Sarah A

Votes:: 23 Vote for this issue

Watchers:: 32 Start watching this issue

Dates

Created:: 31/Jan/2023 5:30 PM

Updated:: 05/Jul/2023 2:37 PM

Resolved:: 02/Mar/2023 11:09 AM