lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Jul 2021 10:26:56 +1000
From: Atlassian <security@...assian.com>
To: fulldisclosure@...lists.org
Subject: [FD] ATLASSIAN - CVE-2020-36239 - Jira Data Center and Jira Service
 Management Data Center

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html



CVE ID:

* CVE-2020-36239


Products: Jira Data Center, Jira Core Data Center, Jira Software Data Center,
and Jira Service Management Data Center.

Affected Versions - Jira Data Center, Jira Core Data Center, and Jira Software
Data Center:

6.3.0 <= version < 8.5.16
8.6.0 <= version < 8.13.8
8.14.0 <= version < 8.17.0



Affected Versions - Jira Service Management Data Center:

2.0.2 <= version < 4.5.16
4.6.0 <= version < 4.13.8
4.14.0 <= version < 4.17.0


Fixed Versions - Jira Data Center, Jira Core Data Center, and Jira Software
Data
Center versions:

* Version 8.5.16 for 8.5.x LTS
* Version 8.13.8 for 8.13.x LTS
* Version 8.17.0

Fixed Versions - Jira Service Management Data Center

* Version 4.5.16 for 4.5.x LTS
* Version 4.13.8 for 4.13.x LTS
* Version 4.17.0




Summary:
This advisory discloses a critical severity security vulnerability introduced
in
version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data
Center, and Jira Service Management Data Center (known as Jira Service Desk
prior to 4.14). Affected versions of Jira Data Center and Jira Service
Management Data Center can be found in the table above (see “Affected
Versions”).

Customers who have downloaded and installed any versions listed in the Affected
Versions section must upgrade their installations immediately to fix this
vulnerability:
* Jira Data Center
* Jira Core Data Center
* Jira Software Data Center
* Jira Service Management Data Center

Atlassian Cloud is not affected by the issue described in this email.
Jira Cloud is not affected.
Jira Service Management Cloud is not affected.
Non-Data Center instances of Jira Server (Core & Software) and Jira Service
Management are not affected by the issue described in this email.


Missing Authentication for Ehcache RMI - CVE-2020-36239

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:
Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira
Service Management Data Center exposed a Ehcache RMI network service which
attackers, who can connect to the service, on port 40001 and potentially
40011[0][1][2], could execute arbitrary code of their choice in Jira through
deserialization due to a missing authentication vulnerability. While Atlassian
strongly suggests restricting access to the Ehcache ports to only Data Center
instances, fixed versions of Jira will now require a shared secret in order to
allow access to the Ehcache service.

[0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center
versions prior to 7.13.1, the Ehcache object port can be randomly allocated.

[1] In Jira Service Management Data Center versions prior to 3.16.1, the
Ehcache
object port can be randomly allocated.

[2] The default Ehcache port is 40001 but it can be configured to be on a
different port, see
https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-parametersCluster.propertiesfileparameters
for more details.


Fix:

To address these issues, we've released the following versions containing a
fix:
For Jira Data Center, Jira Core Data Center, and Jira Software Data Center:
* 8.5.16 that contains a fix for this issue
* 8.13.8 that contains a fix for this issue
* 8.17.0 that contains a fix for this issue

For Jira Service Management Data Center:
* 4.5.16 that contains a fix for this issue
* 4.13.8 that contains a fix for this issue
* 4.17.0 that contains a fix for this issue


Remediation:

Atlassian recommends that you upgrade to the latest version. We also recommend
restricting access to the Ehcache RMI ports as per
https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-Security
& the full advisory for this issue -
https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html#JiraDataCenterAndJiraServiceManagementDataCenterSecurityAdvisory20210721-WhatYouNeedtoDo
.

Fixed versions can be downloaded at:
* Jira Core Server: https://www.atlassian.com/software/jira/core/download
* Jira Software Data Center: https://www.atlassian.com/software/jira/update
* Jira Service Management Data Center:
https://www.atlassian.com/software/jira/service-management/update



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAmD9/10XHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqD23xAAhUzZvFJdPI2/ypg8GYq3vptP
Y6sE89dxn2tpCJsnXdAYdWyKBFzTX3bpp7WVf3CvLn970bVi+BFGqFj0/O0JPtEz
bdlLddX9WqCjCmvKL13xSfjUVhJDKY461HL6L+tOO/YQx3xvEZLTKD9gNRv59cVA
wKoqA/OfFHu62iljz/z3HZn7a/YJ9SbQfBD+1vbfgWvWJZgR5dnCrnLNYpwiD1gO
9Yy7nXXkz6fo2XYOkB5yem578II0BusfcWNQ3r5nEn4DFUSo6zBMKr1PBdX0zyVE
uYucexb4PqefxsUfMjmrXBmn8dmgNHRcQmVoP2pSUDxwz9qQ5pMiCVlSJpgwsEPD
/kzARUxyujMmVgzPcrbNdtQIIzIf6US/QQzGsbuhraF6LY/+/wiNvtKPOk9SyByQ
1LDw+vCa7HXbMDUisKDHgsbc0MHrcD0wWpMQnKwk0Jay6TXkqBg3oUY+wbTcLkKr
X+IhYasbuVpB/Kz1gV8Xy62m80GZRbWyxdIrJS43fHw0tnAEq6jy+WRsaBZHtIL0
TF5bENkeBOx7KkPpxmclm9Nu7ZosAjxFfGw5hHQ9ym4pRMZ5vc2LagL717haQMk/
orbuMmmJ00LF3IqEQ2cQqs/I8Y4Zmnf1fk59GL303UJGVErvcfGSnIKLhAkXzcF4
lLsTKPa7SJl3NyTztO4=
=OR0i
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists