• Type: Public Security Vulnerability
• Resolution: Done
• Priority: High
• Fix Version/s: 4.20.30, 5.4.15, 5.12.2
• Affects Version/s: 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JSDSERVER-14958] SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server

Collapse comment: psytester added a comment - 19/Jan/2024 9:46 PM, Edited by psytester - 30/Jan/2024 9:53 PM

psytester added a comment - 19/Jan/2024 9:46 PM - edited

I downloaded Jira Server Software 9.4.11 and latest 9.4.15 from https://www.atlassian.com/de/software/jira/download-archives
and both having the vulnerability.
Here is my PoC how to exploit it @  https://psytester.github.io/Jira_SSRF_at_Batik_CVEs_PoC/

There is more confusion than solution about which version and product is fixed or not.
Your Security Bulletin is stating @ https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html

Jira Data Center and Server

Patch to a minimum fix version of 9.4.13, 9.7.0 or latest

For 9.4 LTS: 9.4.13 as fixed version is not true nor 9.4.15

find /opt/atlassian -name "*batik*.jar*"

/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-constants-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-anim-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-gvt-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-bridge-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-util-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-svg-dom-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-parser-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-xml-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-codec-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-shared-resources-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-ext-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-i18n-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-dom-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-css-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-transcoder-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-awt-util-1.14.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-script-1.14.jar

Expand comment: psytester added a comment - 19/Jan/2024 9:46 PM, Edited by psytester - 30/Jan/2024 9:53 PM

psytester added a comment - 19/Jan/2024 9:46 PM - edited I downloaded Jira Server Software 9.4.11 and latest 9.4.15 from https://www.atlassian.com/de/software/jira/download-archives and both having the vulnerability. Here is my PoC how to exploit it @  https://psytester.github.io/Jira_SSRF_at_Batik_CVEs_PoC/ There is more confusion than solution about which version and product is fixed or not. Your Security Bulletin is stating @ https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html Jira Data Center and Server Patch to a minimum fix version of 9.4.13, 9.7.0 or latest For 9.4 LTS: 9.4.13 as fixed version is not true nor 9.4.15 find /opt/atlassian -name "*batik*.jar*" /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-constants-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-anim-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-gvt-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-bridge-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-util-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-svg-dom-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-parser-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-xml-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-codec-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-shared-resources-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-ext-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-i18n-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-dom-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-css-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-transcoder-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-awt-util-1.14.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/batik-script-1.14.jar

Collapse comment: fauzy.pamungkas added a comment - 17/Jan/2024 8:42 AM

fauzy.pamungkas added a comment - 17/Jan/2024 8:42 AM

is 5.7.2 impacted?

Expand comment: fauzy.pamungkas added a comment - 17/Jan/2024 8:42 AM

fauzy.pamungkas added a comment - 17/Jan/2024 8:42 AM is 5.7.2 impacted?

Collapse comment: Belinda Baker added a comment - 17/Jan/2024 5:04 AM

Belinda Baker added a comment - 17/Jan/2024 5:04 AM

Just confirming this does not impact Jira Software at all?

Expand comment: Belinda Baker added a comment - 17/Jan/2024 5:04 AM

Belinda Baker added a comment - 17/Jan/2024 5:04 AM Just confirming this does not impact Jira Software at all?

alex.carreras made changes - 16/Jan/2024 9:11 AM

Comment

[ 4.22.6 is affected or only 4.20.0? ]

Paul Theriault made changes - 16/Jan/2024 6:20 AM

Resolution		New: Done [ 17 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Paul Theriault made changes - 16/Jan/2024 6:19 AM

Security

Original: Atlassian Staff [ 10750 ]

Zachary Echouafni made changes - 11/Jan/2024 4:05 PM

Summary

Original: org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server

New: SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server

Zachary Echouafni made changes - 11/Jan/2024 4:05 PM

Vulnerability Classes

Original: Patch Management [ 18158 ]

New: SSRF (Server-Side Request Forgery) [ 18153 ]

Yann made changes - 11/Jan/2024 2:18 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 854456 ]

Guillermo Jimenez made changes - 09/Jan/2024 8:38 PM

Description

Original: This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, and 5.12.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.1 and a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Jira Service Management Data Center and Server 4.20: Upgrade to a release greater than or equal to 4.20.30 * Jira Service Management Data Center and Server 5.4: Upgrade to a release greater than or equal to 5.4.15 * Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.2 See the release notes (https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html). You can download the latest version of Jira Service Management Data Center and Server from the download center (https://www.atlassian.com/software/jira/service-management/download-archives). The National Vulnerability Database provides the following description for this vulnerability: Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

New: This High severity org.apache.xmlgraphics:batik-bridge Dependency vulnerability was introduced in versions 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, and 5.12.0 of Jira Service Management Data Center and Server. This org.apache.xmlgraphics:batik-bridge Dependency vulnerability, with a CVSS Score of 7.1 and a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Jira Service Management Data Center and Server 4.20: Upgrade to a release greater than or equal to 4.20.30 * Jira Service Management Data Center and Server 5.4: Upgrade to a release greater than or equal to 5.4.15 * Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.2 See the release notes (https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html). You can download the latest version of Jira Service Management Data Center and Server from the download center (https://www.atlassian.com/software/jira/service-management/download-archives). The National Vulnerability Database provides the following description for this vulnerability: Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

Load more older events