JIRA 4.0 : JIRA Security Advisory 2008-12-09
This page last changed on Dec 14, 2008 by alui.
In this advisory: Security VulnerabilitiesWebWork 1 Parameter Injection HoleSeverityAtlassian rates this vulnerability as CRITICAL, according to the scale published in the JIRA Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect JIRA instances in a public environment. This flaw is a parameter injection vulnerability in the implementation of the WebWork 1 web application framework in JIRA. The Webwork 1 web application framework allows for the dynamic transformation of URL parameters into method calls. This potentially allows a malicious user (hacker) to call exposed public methods in JIRA via specially formatted URLs. Atlassian recommends that you upgrade to JIRA 3.13.2 to fix the vulnerabilities described below. Risk MitigationWe strongly recommend that you upgrade or apply the necessary patch as soon as possible. If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your JIRA system. For even tighter control, you could restrict JIRA access to trusted groups only. VulnerabilityAll versions of JIRA are vulnerable to this security flaw. A number of public JIRA methods are exposed to this vulnerability. These methods can be called via specially formatted URLs. The method names are not listed for security reasons. FixThe fix is to process parameters via a trusted implementation of the action factory in the Webwork 1 web application framework, which provides more secure method transformations. This issue has been fixed in JIRA 3.13.2 or later. The fix is also provided as a patch for JIRA 3.12.3, 3.11, 3.10.2, 3.9.3, 3.8.1, 3.7.4, 3.6.5 and 3.5.3. There are no patches available for JIRA versions 3.4.x or earlier. We recommend that you upgrade to at least JIRA 3.5.x to apply this patch. Available JIRA PatchesJIRA 3.13.1The patches for JIRA 3.13.1 are available in the file jra-15664-3.13.1-patch.zip
JIRA 3.12.3The patches for JIRA 3.12.3 are available in the file jra-15664-3.12.3-patch.zip
JIRA 3.11The patches for JIRA 3.11 are available in the file jra-15664-3.11-patch.zip
JIRA 3.10.2The patches for JIRA 3.10.2 are available in the file jra-15664-3.10.2-patch.zip
JIRA 3.9.3The patches for JIRA 3.9.3 are available in the file jra-15664-3.9.3-patch.zip
JIRA 3.8.1The patches for JIRA 3.8.1 are available in the file jra-15664-3.8.1-patch.zip
JIRA 3.7.4The patches for JIRA 3.7.4 are available in the file jra-15664-3.7.4-patch.zip
JIRA 3.6.5The patches for JIRA 3.6.5 are available in the file jra-15664-3.6.5-patch.zip
JIRA 3.5.3The patches for JIRA 3.5.3 are available in the file jra-15664-3.5.3-patch.zip
JIRA 3.4.x and earlierThere are no patches available for JIRA versions 3.4.x or earlier. We recommend that you upgrade to at least JIRA 3.5.x. Please let us know what you think of the format of this security advisory and the information we have provided. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
Document generated by Confluence on Oct 06, 2009 00:31 |