• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.17.0, 4.5.16, 4.13.8
• Affects Version/s: 4.8.0, 2.0.2, 4.6.0, 4.7.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.14.0, 4.15.0, 4.13.0, 4.16.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JSDSERVER-8454] Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

Nishchala Tangirala (Inactive) made changes - 21/Jul/2021 4:45 PM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 21/Jul/2021 11:30 AM

Description

Original: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

New: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see [Installing JIRA Data Center|https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-parametersCluster.propertiesfileparameters] for more details.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

David Black made changes - 21/Jul/2021 11:30 AM

Description

Original: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

New: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

David Black made changes - 15/Jul/2021 5:10 AM

CVE ID

New: CVE-2020-36239

David Black made changes - 15/Jul/2021 4:22 AM

Symptom Severity

New: Severity 1 - Critical [ 15830 ]

David Black made changes - 15/Jul/2021 3:11 AM

Summary

Original: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE - CVE-2020-36239

New: Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

David Black made changes - 15/Jul/2021 3:08 AM

Summary

Original: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE- CVE-2020-36239

New: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE - CVE-2020-36239

David Black made changes - 14/Jul/2021 5:49 AM

Description

Original: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011*[0][1]*, could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

New: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

Collapse comment: David Black added a comment - 14/Jul/2021 5:47 AM

David Black added a comment - 14/Jul/2021 5:47 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.8 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Expand comment: David Black added a comment - 14/Jul/2021 5:47 AM

David Black added a comment - 14/Jul/2021 5:47 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.8 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

David Black made changes - 14/Jul/2021 5:47 AM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011*[0][1]*, could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.   *Affected versions:*  The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:  * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)  * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)  * From version 8.14.0 before 8.17.0   The versions of Jira Service Management Data Center affected by this vulnerability are:  * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)  * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)  * From version 4.14.0 before 4.17.0 h3. Fixed Versions To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:  * 8.5.16 that contains a fix for this issue  * 8.13.8 that contains a fix for this issue  * 8.17.0 that contains a fix for this issue   Jira Service Management Data Center versions:  * 4.5.16 that contains a fix for this issue  * 4.13.8 that contains a fix for this issue  * 4.17.0 that contains a fix for this issue   These versions can be downloaded at:  * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]  * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]  * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update] h3. Additional details For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

Load more older events