Urgent: Critical Vulnerability Found in Jira Service Desk and Data Center Products

On Wednesday November 6, 2019, Atlassian announced two critical severity vulnerabilities that affect Jira Service Desk and Data Center products (CVE-2019-15003 and CVE-2019-15004). In certain cases, this vulnerability allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. Atlassian views this as a critical vulnerability, requiring immediate attention.

Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which does not have the issue described on this page.

Customers who have upgraded Jira Service Desk Server & Jira Service Desk Data Center to versions 3.9.17, 3.16.11, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.

Authorization Bypass Allows Information Disclosure & URL Path Traversal Allows Information Disclosure – CVE-2019-15003 & CVE-2019-15004

What you need to know…

  • Location and description of vulnerability: By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits an authorization bypass. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. * Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outlined in the section:
  • Recommended action: Upgrade to a non-vulnerable version as soon as possible.
    Versions affected:

    • All versions before 3.9.17
    • 3.10.x
    • 3.11.x
    • 3.12.x
    • 3.13.x
    • 3.14.x
    • 3.15.x
    • 3.16.x before 3.16.10 (the fixed version for 3.16.x)
    • 4.0.x
    • 4.1.x
    • 4.2.x before 4.2.6 (the fixed version for 4.2.x)
    • 4.3.x before 4.3.5 (the fixed version for 4.3.x)
    • 4.4.x before 4.4.3 (the fixed version for 4.4.x)
    • 4.5.x before 4.5.1 (the fixed version for 4.5.x)
     

     

    Versions already fixed:

 

Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.

If you have Jira Service Desk version…
…then upgrade to this bugfix version:
4.5.x 4.5.1
4.4.x 4.4.3
4.3.x 4.3.5
4.2.x 4.2.6
4.1.x 4.5.1 (Recommended)
4.0.x 4.5.1 (Recommended)
3.16.x 3.16.11
3.9.x 3.16.11

3.9.17

Older versions (before 3.9.x) Current versions:

4.4.1

4.3.4

Enterprise releases:

4.5.1 (Recommended)

3.16.11

3.9.17

Mitigation for CVE-2019-15003

After upgrading Jira Service Desk this mitigation can be removed.

Mitigation for CVE-2019-15004

  • Short-term workaround: If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

After upgrading Jira Service Desk this mitigation can be removed. 

Need help with this?

Give us a call, or request for help here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:

Atlassian Article