Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Which document must be blocked for the Workaround for CVE-2019-11581?

Deleted user July 11, 2019

Hi, 

the following page describes a workaround for CVE-2019-11581:

https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html

 

"Block the /secure/admin/SendBulkMail!default.jspa..."

But I can't find this file - under the path ".../secure/admin/..." i only find the file "default.jsp".  

When I go deeper into the directory there is the file "sendbulkmail.jsp" but the path of this file is "\secure\admin\views\mail".

 

Which is the document which I have to block for this workaround?

 

Thank you in advance!

Stefan 

 

Answer
Watch
Like Olubunmi Ogunsan likes this
1044 views

1 answer

1 accepted

1 vote
Answer accepted
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2019

Hey @[deleted] 

If you're running a reverse proxy (apache/nginx etc) you can look to block the /secure/admin/SendBulkMail!default.jspa URL at the proxy level.

CCM

View More Comments
Deleted user July 11, 2019

Hey @Craig Castle-Mead 

thank you for your answer. But I want to block the file on Tomcat directly. 

Like in the following link which is on the workaround page. 

https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html

Do you know which of these files is the right one to block?

Thank you for your help. 

Stefan 

Like
Anurag Jalan
Anurag Jalan July 12, 2019

Hi Stefan,

You will need to edit server.xml file ($application-install/conf/server.xml file) & add the above condition per the KB link you shared. You don't need to go & block any file at server level.

Hope it is clear.

Like Deleted user likes this
Deleted user July 12, 2019

Hi @Anurag Jalan 

this is clear but I'm not sure which file / file path I have to write into "/path/to/file/to/block" in the server.xml.  

<Context path="/path/to/file/to/block" docBase="" >
    <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>

The described file "SendBulkMail!default.jspa" is not available under the path ".../secure/admin/...".

I only have the file "default.jsp" under the path ".../secure/admin/..." and the file "sendbulkmail.jsp" under the path "\secure\admin\views\mail".

Is one of these files the right one to write into the server.xml?

Thank you! 

Stefan 

Like
Anurag Jalan
Anurag Jalan July 12, 2019

You don't need to search for that file on server. Look below as an example

Suppose your

<Context path="secure/admin/SendBulkMail!default.jspa" docBase="" >
    <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>

Based on result, you can set context path.

Like # people like this
Deleted user July 12, 2019

@Anurag Jalan 

Thank you very much...now I understand what I have to do.

 

Stefan

Like
Support RDI
Support RDI July 17, 2019

Hi team.

Quick question: I've applied the configuration bellow in my side

<Context path="jira/secure/admin/SendBulkMail!default.jspa" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>

However, I still been able to access the "jira/secure/admin/SendBulkMail!default.jspa" URL as you can see in the print screen below:

image.png

This is the expected behavior? If not, what message/error should I expect when applying the suggest mitigation?

Thank you

Like
Anurag Jalan
Anurag Jalan July 17, 2019

No. This is not the expected behavior. If configurations are applied correctly, you will not be able to access this page. As mentioned in document https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html?_ga=2.95307550.382685509.1563154904-67840680.1562220107, have you applied it inside the <Host> element?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events