Urgent: Critical Vulnerability Found in Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center Products

On Wednesday July 21, 2021, Atlassian announced a critical severity security advisory affecting Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center products.

Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service.

What You Need To Know…

Versions affected:

Jira Data Center, Jira Core Data Center, and Jira Software Data Center – ranges

  • 6.3.0 <= version < 8.5.16
  • 8.6.0 <= version < 8.13.8
  • 8.14.0 <= version < 8.17.0

Jira Service Management Data Center – ranges

  • 2.0.2 <= version < 4.5.16
  • 4.6.0 <= version < 4.13.8
  • 4.14.0 <= version < 4.17.0

Jira Data Center, Jira Core Data Center, and Jira Software Data Center

  • All 6.3.x, 6.4.x versions
  • All 7.0.x, 7.1.x , 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x, 7.11.x, 7.12.x, 7.13.x versions
  • All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x versions
  • All 8.5.x versions before 8.5.16
  • All 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.10.x, 8.11.x, 8.12.x versions
  • All 8.13.x versions before 8.13.8
  • All 8.14.x, 8.15.x, 8.16.x versions

Jira Service Management Data Center

  • All 2.x.x versions after 2.0.2
  • All 3.x.x versions
  • All 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x versions
  • All 4.5.x versions before 4.5.16
  • All 4.6.x, 4.7.x, 4.8.x, 4.9.x, 4.10.x, 4.11.x, 4.12.x versions
  • All 4.13.x versions before 4.13.8
  • All 4.14.x, 4.15.x, 4.16.x versions

Versions already fixed:

Jiara Data Center, Jira Core Data Center, Jira Software Data Center

  • Version 8.5.16 for 8.5.x LTS
  • Version 8.13.8 for 8.13.x LTS
  • Version 8.17.0

Jira Service Management Data Center

  • Version 4.5.16 for 4.5.x LTS
  • Version 4.13.8 for 4.13.x LTS
  • Version 4.17.0

Atlassian cloud is not affected

Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.

Atlassian recommends that you upgrade to the latest version. We also recommend restricting access to the Ehcache RMI ports as per these instructions & the information found below in the Mitigation section of this page. For a full description of the latest version, see the release notes for Jira Data Center here , Jira Software Data Center here, and Jira Service Management Data Center here. You can download the latest versions of Jira Data Center and Jira Service Management Data Center from the download center (Jira Data Center | Jira Service Management Data Center).

Upgrade Jira Center to version 8.17.0 or higher.

If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8.

Upgrade Jira Service Management Data Center to version 4.17.0 or higher.

If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8.

Mitigation

Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center cluster instances via the use of firewalls or similar technologies.

In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.1 and above ports that need to be restricted are:

  • port 40001
  • port 40011

In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions 7.13.0 and below ports that need to be restricted are:

In Jira Service Management Data Center versions 3.16.1 and above ports that need to be restricted are:

  • port 40001
  • port 40011

In Jira Service Management Data Center versions 3.16.0 and below ports that need to be restricted are:

Need help with this?

Give us a call, or request for help here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:

Atlassian Article