Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-8454

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

    • Severity 1 - Critical
    • 9.8
    • Critical
    • CVE-2020-36239

      Issue Summary

      Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

      [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

      [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

      [2] The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.

       

      Affected versions:
      The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:

      • From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
      • From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
      • From version 8.14.0 before 8.17.0

       

      The versions of Jira Service Management Data Center affected by this vulnerability are:

      • From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
      • From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
      • From version 4.14.0 before 4.17.0

      Fixed Versions

      To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:

      • 8.5.16 that contains a fix for this issue
      • 8.13.8 that contains a fix for this issue
      • 8.17.0 that contains a fix for this issue

       

      Jira Service Management Data Center versions:

      • 4.5.16 that contains a fix for this issue
      • 4.13.8 that contains a fix for this issue
      • 4.17.0 that contains a fix for this issue

       

      These versions can be downloaded at:

      Additional details

      For additional details, see the full advisory: https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html

            [JSDSERVER-8454] Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

            Nishchala Tangirala (Inactive) made changes -
            Security Original: Atlassian Staff [ 10750 ]
            David Black made changes -
            Description Original: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

            *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue
             * 8.13.8 that contains a fix for this issue
             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue
             * 4.13.8 that contains a fix for this issue
             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]
            New: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

            *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see [Installing JIRA Data Center|https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-parametersCluster.propertiesfileparameters] for more details.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue
             * 8.13.8 that contains a fix for this issue
             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue
             * 4.13.8 that contains a fix for this issue
             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]
            David Black made changes -
            Description Original: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)

             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)

             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue

             * 8.13.8 that contains a fix for this issue

             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue

             * 4.13.8 that contains a fix for this issue

             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]
            New: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

            *[2]* The default Ehcache port is 40001 but it can be configured to be on a different port, see Installing JIRA Data Center for more details.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)
             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)
             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue
             * 8.13.8 that contains a fix for this issue
             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue
             * 4.13.8 that contains a fix for this issue
             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]
            David Black made changes -
            CVE ID New: CVE-2020-36239
            David Black made changes -
            Symptom Severity New: Severity 1 - Critical [ 15830 ]
            David Black made changes -
            Summary Original: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE - CVE-2020-36239 New: Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239
            David Black made changes -
            Summary Original: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE- CVE-2020-36239 New: Jira Data Center & Jira Service Management Data Center - Ehcache Rhino RMI Deserialization RCE - CVE-2020-36239
            David Black made changes -
            Description Original: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011*[0][1]*, could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)

             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)

             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue

             * 8.13.8 that contains a fix for this issue

             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue

             * 4.13.8 that contains a fix for this issue

             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]
            New: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 [0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)

             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)

             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue

             * 8.13.8 that contains a fix for this issue

             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue

             * 4.13.8 that contains a fix for this issue

             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.8 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.8 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
            David Black made changes -
            Description Original:
            This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.
            New: h3. Issue Summary

            Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011*[0][1]*, could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

            *[0]* In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

            *[1]* In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

             

            *Affected versions:*
             The versions of Jira Data Center, Jira Core Data Center, and Jira Software Data Center affected by this vulnerability are:
             * From version 6.3.0 before 8.5.16 (the fixed version for 8.5.x)

             * From version 8.6.0 before 8.13.8 (the fixed version for 8.13.x)

             * From version 8.14.0 before 8.17.0

             

            The versions of Jira Service Management Data Center affected by this vulnerability are:
             * From version 2.0.2 before 4.5.16 (the fixed version for 4.5.x)
             * From version 4.6.0 before 4.13.8 (the fixed version for 4.13.x)
             * From version 4.14.0 before 4.17.0

            h3. Fixed Versions

            To address these issues, we have released Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
             * 8.5.16 that contains a fix for this issue

             * 8.13.8 that contains a fix for this issue

             * 8.17.0 that contains a fix for this issue

             

            Jira Service Management Data Center versions:
             * 4.5.16 that contains a fix for this issue

             * 4.13.8 that contains a fix for this issue

             * 4.17.0 that contains a fix for this issue

             

            These versions can be downloaded at:
             * Jira Core Server: [https://www.atlassian.com/software/jira/core/download]
             * Jira Software Data Center: [https://www.atlassian.com/software/jira/update]
             * Jira Service Management Data Center: [https://www.atlassian.com/software/jira/service-management/update]

            h3. Additional details

            For additional details, see the full advisory: [https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html]

              dblack David Black
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: