-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
4.15.0, 4.15.1, 4.15.2, 4.16.1, 4.17.0, 4.16.0, 4.16.2, 4.17.1, 4.18.0, 4.19.0, 4.18.1, 4.18.2, 4.18.3, 4.19.1
-
None
-
9
-
Critical
-
CVE-2018-10054
Description
Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.
The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:
- The user must be an authenticated Jira user AND
Either of the following privileges within Insight - Asset Management:
- user or group permission to “Insight administrator”
- user or group permission to “Object Schema Manager”
Acknowledgments
The issue was discovered by l0gg via the Atlassian public bug bounty program.
Affected versions:
Insight - Asset Management version:
|
Jira Service Management Data Center and Server version:
- All 4.15.x versions
- All 4.16.x versions
- All 4.17.x versions
- All 4.18.x versions
- All 4.19.x versions|
Fixed versions:
Insight - Asset Management-8.9.3
Jira Service Management Data Center and Jira Service Management Server-4.20.0
Further details can be found on the advisory page.
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page"){kind=icon}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-8716] Jira Service Management / Insight Asset Management vulnerable to RCE Security
Do we have to just upgrade Jira Service management and not Jira Software? I also ask this, it's very annoying to have to update production Jira Software every month which reqiuires a lot of testing and planning!
Hi Team,
We are currently using Jira server version 8.13.1 (JSM 4.13.1) and we don't have Insight - Management app installed on our instance. As per the security advisory, we do not need to take any action and our instance is safe. Please confirm.
Hi,
We are on Jira software v8.18.2 and Jira Service Management version v4.18.2. I did uninstall the insight app post upgrade to Jira v8.18.2 long back since we did not want it. Is my system still vulnerable?
Is Jira Service Management v4.20 is compatible with Jira software v8.18.2?
Do we have to just upgrade Jira Service management and not Jira Software?
Also, can uninstalling the Insight plug-in mitigate this vulnerability?
Is there a specific reason for using the CVE ID CVE-2018-10054 here? This old CVE was created for insecure usage of H2 in Datomic before 0.9.5697 and other products.
The advisory ( https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html ) states, that the fixed version can no longer connect to any H2 database and the mitigation steps completely remove the H2 jar, achieving the same. The fix and mitigation indicate, that the vulnerability is not coming from H2, but instead is the result of improper use of H2 in Insight.
If the above is correct, it seems to be an issue of input validation/filtering in Insight and in my opinion should have it's own CVE number. Reusing an old CVE of a different product that had a similiar vulnerability in the past just seems a bit odd to me.
hailin.zhang
No, Insight - Asset Management is required to be installed and enabled for Jira instance to be vulnerable.
Hi there,
We dont have Insight - Asset Management installed and we are on Jira server version (not DC). I can find h2-1.4.185.jar in /atlassian-jira/WEB-INF/lib/.
Do we need to delete the jar file?
Cheers
The bundled version of the app received a version bump (9.0.X) to differentiate if from the Marketplace app. If your app version is 9.0.X you are on a version of JSM >= 4.15 which requires an upgrade to get the fix. Mitigate ASAP if you can't upgrade immediately.
Thanks
Hi 9201a05ab401
If your Insight version is 9.0.7, it means it's bundled with JSM 4.17.. you must upgrade JSM to 4.20
This issue mentions this regarding the Insight configuration:
Fixed versions:
Insight - Asset Management-8.9.3
On one instance we are supporting the installed version of Insight is 9.0.7, am I correct to assume that since 9.0.7 is higher than 8.9.3 that there is nothing to update for Insight?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 9.1 => Critical severity
Exploitability Metrics
Scope Metric
Impact Metrics
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H