Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Workaround for CVE-2019-15001

Hi,

In our production environment, we've made changes in web.xml trying to block PUT Requests to the vulnerable endpoint, and we recibe a 403 code response, but in headers we can see Allow=POST,OPTIONS,PUT, and it was equal before the workaround.

Is it posible that the environment is not aplying the changes on web.xml??

In a test environment, we made the workaround and then we get a response with the message "The requested method PUT is not allowed for the URL /jira/rest/jira-importers-plugin/1.0/demo/create.". But in this case, when we remove the blocking code on web.xml and restart, the endpoint is still blocked. Is posible that, in this case, the environment is not aplying the changes?

We're not sure how to be sure that the endpoint is blocked.

Server version: 7.5.3

 

Thanks for the help.
Regards.

1 answer

0 votes

Hi Eloi,

Thanks for reaching out and first to act as a referance point the Security Advisory Workaround is posted here:

I recomend doing a quick double check on the syntax to verify it lines up with the KB, and verify that the file permissions were not altered in some way when editing, on windows the service user should have full control, on linux verifying Permissions settings can be seen here .  Next verify the Jira application was restarted. 

Then to verify the settings did take effect as covered in the KB:

try to send a PUT request to the end point<JIRA_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA

 

Examples on how to format this using a curl command can be seen here:

If the setting was correctly applied the PUT wil fail

Regards,
Earl

Hi Earl,

thanks for your response. Yes, i tried to send the request especified, but I'm not sure what is the result i have to recive. I attacj examples:

Test Environment:

2019-10-07 08_37_07-Postman.png

2019-10-07 08_38_09-Postman.png

Production Environment:

2019-10-07 08_41_17-Postman.png

2019-10-07 08_42_07-Postman.png

That's why I think that on Production, the changes have had no effect. In both environments I modified the same file with the same lines and restarted application.

Thanks for your attention.
Regards.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Software

How to create Jira issus from Excel file?

When to use CSV importer When managing your processes in Jira, there are many occasions where you need to create a lot of tasks. Creating them one by one will cost you a lot of time and effort and i...

4,308 views 22 31
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you