Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-8716

Jira Service Management / Insight Asset Management vulnerable to RCE Security

    • 9
    • Critical
    • CVE-2018-10054

      Description 

      Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

      The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

      • The user must be an authenticated Jira user AND

      Either of the following privileges within Insight - Asset Management:

      • user or group permission to “Insight administrator”
      • user or group permission to “Object Schema Manager”

       

      Acknowledgments

      The issue was discovered by l0gg via the Atlassian public bug bounty program.

       

      Affected versions:

      Insight - Asset Management version:
      • All 5.x versions
      • All 6.x versions
      • All 7.x versions
      • All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions
      • All 8.9.x versions before 8.9.3

      Jira Service Management Data Center and Server version:

      • All 4.15.x versions
      • All 4.16.x versions
      • All 4.17.x versions
      • All 4.18.x versions
      • All 4.19.x versions|

      Fixed versions:

      Insight - Asset Management-8.9.3 

      Jira Service Management Data Center and Jira Service Management Server-4.20.0 

      Further details can be found on the advisory page.

          Form Name

            [JSDSERVER-8716] Jira Service Management / Insight Asset Management vulnerable to RCE Security

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.1 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.1 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

            Do we have to just upgrade Jira Service management and not Jira Software? I also ask this, it's very annoying to have to update production Jira Software every month which reqiuires a lot of testing and planning!

            Boris Ganchev added a comment - Do we have to just upgrade Jira Service management and not Jira Software? I also ask this, it's very annoying to have to update production Jira Software every month which reqiuires a lot of testing and planning!

            Divyasri Arja added a comment - - edited

            Hi Team,

            We are currently using Jira server version 8.13.1 (JSM 4.13.1) and we don't have Insight - Management app installed on our instance. As per the security advisory, we do not need to take any action and our instance is safe. Please confirm.

             

             

             

            Divyasri Arja added a comment - - edited Hi Team, We are currently using Jira server version 8.13.1 (JSM 4.13.1) and we don't have Insight - Management app installed on our instance. As per the security advisory, we do not need to take any action and our instance is safe. Please confirm.      

            Hi,

            We are on Jira software v8.18.2 and Jira Service Management version v4.18.2. I did uninstall the insight app post upgrade to Jira v8.18.2 long back since we did not want it. Is my system still vulnerable?

            Is Jira Service Management v4.20 is compatible with Jira software v8.18.2?

            Do we have to just upgrade Jira Service management and not Jira Software?

            Also, can uninstalling the Insight plug-in mitigate this vulnerability?

            Susheela Kushwaha added a comment - Hi, We are on Jira software v8.18.2 and Jira Service Management version v4.18.2. I did uninstall the insight app post upgrade to Jira v8.18.2 long back since we did not want it. Is my system still vulnerable? Is Jira Service Management v4.20 is compatible with Jira software v8.18.2? Do we have to just upgrade Jira Service management and not Jira Software? Also, can uninstalling the Insight plug-in mitigate this vulnerability?

            Is there a specific reason for using the CVE ID CVE-2018-10054 here? This old CVE was created for insecure usage of H2 in Datomic before 0.9.5697 and other products.

            The advisory ( https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html ) states, that the fixed version can no longer connect to any H2 database and the mitigation steps completely remove the H2 jar, achieving the same. The fix and mitigation indicate, that the vulnerability is not coming from H2, but instead is the result of improper use of H2 in Insight.

            If the above is correct, it seems to be an issue of input validation/filtering in Insight and in my opinion should have it's own CVE number. Reusing an old CVE of a different product that had a similiar vulnerability in the past just seems a bit odd to me.

            Janis Marrek added a comment - Is there a specific reason for using the CVE ID CVE-2018-10054 here? This old CVE was created for insecure usage of H2 in Datomic before 0.9.5697 and other products. The advisory ( https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html ) states, that the fixed version can no longer connect to any H2 database and the mitigation steps completely remove the H2 jar, achieving the same. The fix and mitigation indicate, that the vulnerability is not coming from H2, but instead is the result of improper use of H2 in Insight. If the above is correct, it seems to be an issue of input validation/filtering in Insight and in my opinion should have it's own CVE number. Reusing an old CVE of a different product that had a similiar vulnerability in the past just seems a bit odd to me.

            hailin.zhang
            No, Insight - Asset Management is required to be installed and enabled for Jira instance to be vulnerable.

            Diego Baeza (Inactive) added a comment - hailin.zhang No, Insight - Asset Management is required to be installed and enabled for Jira instance to be vulnerable.

            Hi there,

             

            We dont have Insight - Asset Management installed and we are on Jira server version (not DC). I can find h2-1.4.185.jar in /atlassian-jira/WEB-INF/lib/.

            Do we need to delete the jar file?

             

            Cheers

            Hailin Zhang added a comment - Hi there,   We dont have Insight - Asset Management installed and we are on Jira server version (not DC). I can find h2-1.4.185.jar in /atlassian-jira/WEB-INF/lib/. Do we need to delete the jar file?   Cheers

            Daniel R added a comment -

            The bundled version of the app received a version bump (9.0.X) to differentiate if from the Marketplace app. If your app version is 9.0.X you are on a version of JSM >= 4.15 which requires an upgrade to get the fix. Mitigate ASAP if you can't upgrade immediately. 

            Thanks

            Daniel R added a comment - The bundled version of the app received a version bump (9.0.X) to differentiate if from the Marketplace app. If your app version is 9.0.X you are on a version of JSM >= 4.15 which requires an upgrade to get the fix. Mitigate ASAP if you can't upgrade immediately.  Thanks

            Hi 9201a05ab401
            If your Insight version is 9.0.7, it means it's bundled with JSM 4.17.. you must upgrade JSM to 4.20

            Diego Baeza (Inactive) added a comment - Hi 9201a05ab401 If your Insight version is 9.0.7, it means it's bundled with JSM 4.17.. you must upgrade JSM to 4.20

            This issue mentions this regarding the Insight configuration:

            Fixed versions:

            Insight - Asset Management-8.9.3 

            On one instance we are supporting the installed version of Insight is 9.0.7, am I correct to assume that since 9.0.7 is higher than 8.9.3 that there is nothing to update for Insight?

             

            JB MacDonald added a comment - This issue mentions this regarding the Insight configuration: Fixed versions: Insight - Asset Management-8.9.3  On one instance we are supporting the installed version of Insight is 9.0.7, am I correct to assume that since 9.0.7 is higher than 8.9.3 that there is nothing to update for Insight?  

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: