Security Advisories for Jira Service Desk Server, November 2019

Atlassian has disclosed two critical severity security vulnerabilities (CVE-2019-15003 and CVE-2019-15004) in Jira Service Desk Server and Jira Service Desk Data Center on November 6, 2019. This article is designed to help you determine if you are affected and how to ask for help here on Community.

The TLDR (too long, didn't read)

We recommend upgrading your Jira Service Desk Server/Data Center instances to one of the following versions as soon as possible: 

• 3.9.17

• 3.16.11

• 4.2.6

• 4.3.5

• 4.4.3

• 4.5.1 (Latest Enterprise release)

All versions of Service Desk Server/Data Center before these versions are affected by these vulnerabilities.  Please read the full advisory which can be found at Jira Service Desk Security Advisory 2019-11-06.

Note that in order to upgrade Jira Service Desk to one of the versions above, you will need an active and valid license for Service Desk. 

If you are unable to upgrade your Jira Service Desk quickly for any reason, there are mitigation steps that can be taken to temporarily work-around this issue until such time when you can upgrade.  While the work-around steps are very similar in nature for these two, please note that there are slight difference between them for each CVE.

Mitigation steps for CVE-2019-15003

• Block requests to Jira containing jspa, jpsx, jsp at the reverse proxy or load balance level, or

• Alternatively, configure Jira to redirect requests containing jspa, jspx, jsp to a safe URL
  

  • Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>
        <from>/servicedesk/.*\.jsp.*</from>
        <to type="temporary-redirect">/</to>
    </rule>

  • After saving the changes above, restart Jira

After upgrading Jira Service Desk this mitigation can be removed.

Mitigation steps for CVE-2019-15004

• Block requests to Jira containing .. at the reverse proxy or load balance level, or
• Alternatively, configure Jira to redirect requests containing .. to a safe URL

  • Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

        <rule>
            <from>^/.*\.\..*$</from>
            <to type="temporary-redirect">/</to>
        </rule>

  • After saving the changes above, restart Jira

After upgrading Jira Service Desk this mitigation can be removed.

Select, Priority, and Premier support customers can raise technical support requests in regards to this advisory by going to https://support.atlassian.com/contact

However Starter license users will only have support provided through Community per our Support offerings.

We invite anyone that might have questions in relation to this security advisory, regardless of your support level, to ask a new question with this link.  Which will help us to track questions about this specific advisory.