On Wednesday July 10, 2019, Atlassian announced a critical “Template Injection” vulnerability in Jira Server and Data Center products. In certain cases, this vulnerability allows remote code execution.
What you need to know…
- Versions affected: This vulnerability affects most versions of Jira, from 4.4.X through 8.2.X.
- Versions already fixed: While Atlassian has fixed the issue in the 7.6.14, 7.13.5, 8.0.3, 8.1.2 and 8.2.3 versions, right now the issue remains in other versions.
- Location and description of vulnerability: This vulnerability is found within the ContactAdministrators and SendBulKMail actions. If not treated, in certain cases a successful exploit of this issue will allow an attacker to remotely execute code on the server.
- Recommended action: On the affected Jira instance, if you have an SMTP server configured and the Contact Administrators Form is enabled, OR if the attacker has Jira Administrator access and an SMTP server is configured, then you should immediately remediate. Atlassian recommends an upgrade to one of the listed fixed versions to remediate this.
- Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed.
- 2. Block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be achieved by denying access in the reverse-proxy, load balancer or Tomcat directly.
- After upgrading Jira, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.
Need help with this?
Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.