Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2019-15001

Eloi Serret Ballart
Eloi Serret Ballart October 3, 2019

Hi,

In our production environment, we've made changes in web.xml trying to block PUT Requests to the vulnerable endpoint, and we recibe a 403 code response, but in headers we can see Allow=POST,OPTIONS,PUT, and it was equal before the workaround.

Is it posible that the environment is not aplying the changes on web.xml??

In a test environment, we made the workaround and then we get a response with the message "The requested method PUT is not allowed for the URL /jira/rest/jira-importers-plugin/1.0/demo/create.". But in this case, when we remove the blocking code on web.xml and restart, the endpoint is still blocked. Is posible that, in this case, the environment is not aplying the changes?

We're not sure how to be sure that the endpoint is blocked.

Server version: 7.5.3

 

Thanks for the help.
Regards.

Answer
Watch
Like Be the first to like this
365 views

1 answer

0 votes
Earl McCutcheon
Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2019

Hi Eloi,

Thanks for reaching out and first to act as a referance point the Security Advisory Workaround is posted here:

I recomend doing a quick double check on the syntax to verify it lines up with the KB, and verify that the file permissions were not altered in some way when editing, on windows the service user should have full control, on linux verifying Permissions settings can be seen here .  Next verify the Jira application was restarted. 

Then to verify the settings did take effect as covered in the KB:

try to send a PUT request to the end point<JIRA_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA

 

Examples on how to format this using a curl command can be seen here:

If the setting was correctly applied the PUT wil fail

Regards,
Earl

View More Comments
Eloi Serret Ballart
Eloi Serret Ballart October 7, 2019

Hi Earl,

thanks for your response. Yes, i tried to send the request especified, but I'm not sure what is the result i have to recive. I attacj examples:

Test Environment:

2019-10-07 08_37_07-Postman.png

2019-10-07 08_38_09-Postman.png

Production Environment:

2019-10-07 08_41_17-Postman.png

2019-10-07 08_42_07-Postman.png

That's why I think that on Production, the changes have had no effect. In both environments I modified the same file with the same lines and restarted application.

Thanks for your attention.
Regards.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events