Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-8716

Jira Service Management / Insight Asset Management vulnerable to RCE Security

XMLWordPrintable

    • 9
    • Critical
    • CVE-2018-10054

      Description 

      Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

      The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

      • The user must be an authenticated Jira user AND

      Either of the following privileges within Insight - Asset Management:

      • user or group permission to “Insight administrator”
      • user or group permission to “Object Schema Manager”

       

      Acknowledgments

      The issue was discovered by l0gg via the Atlassian public bug bounty program.

       

      Affected versions:

      Insight - Asset Management version:
      • All 5.x versions
      • All 6.x versions
      • All 7.x versions
      • All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions
      • All 8.9.x versions before 8.9.3

      Jira Service Management Data Center and Server version:

      • All 4.15.x versions
      • All 4.16.x versions
      • All 4.17.x versions
      • All 4.18.x versions
      • All 4.19.x versions|

      Fixed versions:

      Insight - Asset Management-8.9.3 

      Jira Service Management Data Center and Jira Service Management Server-4.20.0 

      Further details can be found on the advisory page.

            [JSDSERVER-8716] Jira Service Management / Insight Asset Management vulnerable to RCE Security

            Tomasz Prus made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 913944 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 847577 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 846158 ]
            Maggie O. made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 809098 ]
            Security Metrics Bot made changes -
            Labels Original: CVE-2018-10054 advisory advisory-released dont-import security New: CVE-2018-10054 advisory advisory-released dont-import security 🔢✅

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.1 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.1 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
            Chung Park Chan made changes -
            Labels Original: CVE-2018-10054 advisory advisory-released dont-import hot-jira-fixed security New: CVE-2018-10054 advisory advisory-released dont-import security
            Chung Park Chan made changes -
            Labels Original: CVE-2018-10054 advisory advisory-released dont-import security New: CVE-2018-10054 advisory advisory-released dont-import hot-jira-fixed security

            Boris Ganchev added a comment -

            Do we have to just upgrade Jira Service management and not Jira Software? I also ask this, it's very annoying to have to update production Jira Software every month which reqiuires a lot of testing and planning!

            Boris Ganchev added a comment - Do we have to just upgrade Jira Service management and not Jira Software? I also ask this, it's very annoying to have to update production Jira Software every month which reqiuires a lot of testing and planning!

            Divyasri Arja added a comment - - edited

            Hi Team,

            We are currently using Jira server version 8.13.1 (JSM 4.13.1) and we don't have Insight - Management app installed on our instance. As per the security advisory, we do not need to take any action and our instance is safe. Please confirm.

             

             

             

            Divyasri Arja added a comment - - edited Hi Team, We are currently using Jira server version 8.13.1 (JSM 4.13.1) and we don't have Insight - Management app installed on our instance. As per the security advisory, we do not need to take any action and our instance is safe. Please confirm.      

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: