Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-14401

XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Highest Highest
    • 5.7.2, 5.8.2, 5.9.2, 5.10.1, 5.4.10, 4.20.26
    • 4.20.0, (46)
      4.21.0, 4.20.1, 4.20.2, 4.20.3, 4.21.1, 4.20.4, 4.20.5, 4.20.6, 4.21.2, 4.20.7, 4.20.8, 4.20.9, 4.20.10, 4.20.11, 4.20.12, 4.20.13, 4.20.14, 5.4.0, 4.20.15, 5.4.1, 4.20.16, 5.5.1, 4.20.17, 5.4.2, 5.6.0, 5.4.3, 4.20.18, 5.7.0, 4.20.19, 5.4.4, 5.8.0, 4.20.20, 5.7.1, 4.20.21, 5.4.5, 4.20.22, 5.4.6, 5.8.1, 5.9.0, 4.20.23, 5.4.7, 4.20.24, 5.4.8, 5.10.0, 4.20.25, 5.4.9
    • None
    • 9.8
    • Critical
    • CVE-2019-13990
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • XXE (XML External Entity Injection)
    • Jira Service Management Data Center, Jira Service Management Server

      Summary of Vulnerability

      Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

      Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

      This critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2019-13990 affects versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.

      Affected Versions

      Product Affected Versions
      Jira Service Management Data Center
      Jira Service Management Server
      • 4.20.0
      • 4.20.1
      • 4.20.2
      • 4.20.3
      • 4.20.4
      • 4.20.5
      • 4.20.6
      • 4.20.7
      • 4.20.8
      • 4.20.9
      • 4.20.10
      • 4.20.11
      • 4.20.12
      • 4.20.13
      • 4.20.14
      • 4.20.15
      • 4.20.16
      • 4.20.17
      • 4.20.18
      • 4.20.19
      • 4.20.20
      • 4.20.21
      • 4.20.22
      • 4.20.23
      • 4.20.24
      • 4.20.25
      • 4.21.0
      • 4.21.1
      • 4.22.0
      • 4.22.1
      • 4.22.2
      • 4.22.3
      • 4.22.4
      • 4.22.6
      • 5.0.0
      • 5.1.0
      • 5.1.1
      • 5.2.0
      • 5.2.1
      • 5.3.0
      • 5.3.1
      • 5.3.2
      • 5.3.3
      • 5.4.0
      • 5.4.1
      • 5.4.2
      • 5.4.3
      • 5.4.4
      • 5.4.5
      • 5.4.6
      • 5.4.7
      • 5.4.8
      • 5.4.9
      • 5.5.1
      • 5.6.0
      • 5.7.0
      • 5.7.1
      • 5.8.0
      • 5.8.1
      • 5.9.0
      • 5.10.0

      Fixed Versions

      Product Fixed Versions
      Jira Service Management Data Center
      Jira Service Management Server
      • 4.20.26 or later
      • 5.4.10 or later
      • 5.7.2 or later
      • 5.8.2 or later
      • 5.9.2 or later
      • 5.10.1 or later

      What You Need to Do

      Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” table section of this ticket. For full descriptions of the above versions of Jira Service Management Data Center and Server, see the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center.

      Mitigation

      If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality. https://confluence.atlassian.com/x/hHLSQ

      For additional details, please see full advisory here: https://confluence.atlassian.com/pages/viewpage.action?pageId=1295385959

      Acknowledgments

      This vulnerability was discovered and reported via our Atlassian (Internal) program.

            [JSDSERVER-14401] XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990

            Dave Liao added a comment - - edited

            Someone just updated this ticket description to include the versions I was asking about, so editing this question/comment into digital oblivion.

            Dave Liao added a comment - - edited Someone just updated this ticket description to include the versions I was asking about, so editing this question/comment into digital oblivion.

            Daniel R added a comment -

            7343b66e-5000-46b2-be9b-3d113d76714b Those are affected versions. Our bug fix policy for critical vulnerabilities commits us to issue new bug fix releases for:

            • Any versions designated a 'Long Term Support release' that have not reached end of life.
            • All feature versions released within 6 months of the date the fix is released.

            Daniel R added a comment - 7343b66e-5000-46b2-be9b-3d113d76714b Those are affected versions. Our bug fix policy for critical vulnerabilities commits us to issue new bug fix releases for: Any versions designated a 'Long Term Support release' that have not reached end of life. All feature versions released within 6 months of the date the fix is released.

            Leonardo Souto added a comment - - edited

            35b873844d74 It's not recommended. Atlassian always recommend to both JSM and Jira Software to be at the same exact versions as outlined at Jira applications compatibility matrix

            Leonardo Souto added a comment - - edited 35b873844d74 It's not recommended. Atlassian always recommend to both JSM and Jira Software to be at the same exact versions as outlined at Jira applications compatibility matrix

            Leonardo Souto added a comment -

            474de73817b2 Insight plugin is the same as Assets. Atlassian has recentely changed the name in newer versions, that's just it, so you should consider both the exact same plugin, and proceed with the mitigation steps outlined in the ticket.

            Leonardo Souto added a comment - 474de73817b2 Insight plugin is the same as Assets. Atlassian has recentely changed the name in newer versions, that's just it, so you should consider both the exact same plugin, and proceed with the mitigation steps outlined in the ticket.

            Olli Suokas added a comment -

            Seems like the list of affected versions are different 

            here https://confluence.atlassian.com/security/cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

            vs

            on this request https://jira.atlassian.com/browse/JSDSERVER-14401

             

            So which list is accurate and up-to-date?

            Olli Suokas added a comment - Seems like the list of affected versions are different  here https://confluence.atlassian.com/security/cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html vs on this request https://jira.atlassian.com/browse/JSDSERVER-14401   So which list is accurate and up-to-date?

            Ponton Admin added a comment -

            The instructions for the mitigation seem unclear. We are on Server 9.4.8 and JSM 5.4.8 but we don't see an Insight Plugin. We see a Plugin "Assets" in version 10.x.x. The plugin has the same key as the plugin mentioned in the mitigation steps. What to do?

            Ponton Admin added a comment - The instructions for the mitigation seem unclear. We are on Server 9.4.8 and JSM 5.4.8 but we don't see an Insight Plugin. We see a Plugin "Assets" in version 10.x.x. The plugin has the same key as the plugin mentioned in the mitigation steps. What to do?

            Gail Marik added a comment -

            We are currently running JSW 9.4.9 and JSM 5.4.9.  I'm assuming we can just upgrade JSM to 5.4.10 and leave JSW at 9.49, correct?

            Gail Marik added a comment - We are currently running JSW 9.4.9 and JSM 5.4.9.  I'm assuming we can just upgrade JSM to 5.4.10 and leave JSW at 9.49, correct?

            Dave Liao added a comment - - edited

            Are versions not listed affected by this vulnerability?

            I see versions like 4.21 and 4.22 aren't (yet) listed under Affected Versions.

            Dave Liao added a comment - - edited Are versions not listed affected by this vulnerability? I see versions like 4.21 and 4.22 aren't (yet) listed under Affected Versions .

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              23 Start watching this issue

                Created:
                Updated:
                Resolved: