JIRA 4.0 : JIRA Security Advisory 2009-04-02
This page last changed on Apr 22, 2009 by alui.
In this advisory: Security VulnerabilitiesHTTP Header Injection FlawSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in the JIRA Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect JIRA instances in a public environment. This flaw is a HTTP Header injection vulnerability in JIRA. This potentially allows a malicious user (hacker) to hack the header response to insert malicious code. A hacker could present the hacked URL to users (e.g. disguised in an email). If any users click the URL, the malicious code would be executed in the user's session.
Atlassian recommends that you upgrade to JIRA 3.13.3 to fix the vulnerabilities described below. Risk MitigationWe strongly recommend that you upgrade or apply the necessary patch as soon as possible. If you are unable to do this, you may wish to consult the vendor of your application server to see whether your application server is immune to header injection vulnerabilities or has configuration options to prevent such attacks. For example, the Coyote (HTTP) connector in Tomcat version 5.5 and later is immune to header injection attacks, as acknowledged in this reference. Please note, the time required to fix this vulnerability and the extent of its effectiveness will depend on your application server and its configuration.
VulnerabilityAll versions of JIRA are vulnerable to this security flaw. FixThe fix updates the Seraph framework to a version which correctly encodes and validates redirect URLs before sending them back to the user. This issue has been fixed in JIRA 3.13.3 or later. The fix is also provided as a patch for JIRA 3.12.3 and 3.11. There are no patches available for JIRA versions 3.10.x and earlier. We recommend that you upgrade to at least JIRA 3.11 to apply this patch. Available JIRA PatchesJIRA 3.12.3A replacement seraph jar for JIRA 3.12.3 is available here: atlassian-seraph-0.38.3.jar Replace JIRA's existing seraph jar with the updated one:
JIRA 3.11A replacement seraph jar for JIRA 3.11 is available here: seraph-0.7.21.1.jar Replace JIRA's existing seraph jar with the updated one:
JIRA 3.10.x and earlierThere are no patches available for JIRA versions 3.10.x or earlier. We recommend that you upgrade to at least JIRA 3.11. DWR XSS Security HoleSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in the JIRA Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect JIRA instances in a public environment. This flaw is a XSS vulnerability in the DWR library in JIRA. This potentially allows a malicious user (hacker) to hack the URL to insert special JavaScript. A hacker could present the hacked URL to users (e.g. disguised in an email). If any users click the URL, the special JavaScript would be executed in the user's session.
Atlassian recommends that you upgrade to JIRA 3.13.3 to fix the vulnerabilities described below. Risk MitigationWe recommend that you upgrade or apply the necessary patch as soon as possible. If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your JIRA system. For even tighter control, you could restrict JIRA access to trusted groups only. VulnerabilityAll versions of JIRA are vulnerable to this security flaw. FixThe fix is to upgrade the DWR library shipped with JIRA to version 2.0.3. This version of the DWR library does not have this security flaw. This issue has been fixed in JIRA 3.13.3 or later. The fix is also provided as a patch for JIRA 3.12.3 and 3.11. There are no patches available for JIRA versions 3.10.x or earlier. Please see JRA-16072 for further details. Available JIRA PatchesJIRA 3.12.3The patches for JIRA 3.12.3 are available in the file jra-16072-3.12.3-patch.zip
JIRA 3.11The patches for JIRA 3.11 are available in the file jra-16072-3.11-patch.zip
JIRA 3.10.x and earlierThere are no patches available for JIRA versions 3.10.x or earlier. We recommend that you upgrade to at least JIRA 3.11. XSS vulnerability in various JIRA parametersSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in the JIRA Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a number of security flaws which may affect JIRA instances in a public environment. The flaws are all XSS (cross-site scripting) vulnerabilities in various JIRA parameters. Each vulnerability potentially allows a malicious user (hacker) to embed their own JavaScript into a JIRA page.
Atlassian recommends that you upgrade to JIRA 3.13.3 to fix the vulnerabilities described below. You can read more about XSS attacks at cgisecurity, CERT and other places on the web. Risk MitigationIf you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your JIRA system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict JIRA access to trusted groups only. VulnerabilityA hacker can inject their own JavaScript into various JIRA parameters, described in the table below. If rogue JavaScript is injected into a parameter of a URL, the JavaScript will be executed when a user invokes the URL for the page.
FixThe fix is to HTML-encode the vulnerable parameters to prevent scripts from being executed from them. This issue has been fixed in JIRA 3.13.3 only. There are no patches available for previous versions of JIRA, for this fix. Security Vulnerabilities — JIRA PluginsJIRA Charting Plugin XSS Security HoleSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in the JIRA Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed two security flaws in the JIRA Charting plugin which may affect JIRA instances in a public environment that use this plugin. These flaws are XSS vulnerabilities in view actions for the JIRA Charting plugin. This potentially allows a malicious user (hacker) to hack the URL to insert special JavaScript. A hacker could present the hacked URL to users (e.g. disguised in an email). If any users click the URL, the special JavaScript would be executed in the user's session.
Atlassian recommends that you upgrade your JIRA Charting plugin to version 1.4.1 to fix the vulnerabilities described below. Risk MitigationWe recommend that you upgrade your JIRA Charting plugin as soon as possible. If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your JIRA system. For even tighter control, you could restrict JIRA access to trusted groups only. VulnerabilityJIRA instances that use the JIRA Charting plugin (any version) are vulnerable to this security flaw. FixThe fix is to HTML encode the appropriate values in the JIRA Charting plugin actions. Please see JCHART-256 and JCHART-257 for further details. This issue has been fixed in the JIRA Charting plugin 1.4.1 or later. Please see the plugin page to check compatibility with your JIRA version. Please let us know what you think of the format of this security advisory and the information we have provided. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
Document generated by Confluence on Oct 06, 2009 00:31 |