Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,409,470
Community Members
 
Community Events
169
Community Groups

JIRA Security Advirsory

Deleted user Jul 12, 2019

https://community.atlassian.com/t5/Jira-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241

 

Jul 10, 2019

Atlassian has published security advisory CVE-2019-11581 today, 10 July 2019.  This advisory is in regards to multiple versions of Jira Server and Data Center.  Jira Cloud is not affected.  The goal of this article is to help raise awareness for this critical vulnerability and to provide you a means to ask further questions about this in Community if needed.

Atlassian's official recommendation is that all affected Jira instances upgrade to a fixed version as soon as possible. 

 

If you do nothing else, turn off the Contact Administrator's form immediately in Jira.  While Jira ships by default with this feature OFF, you can check to make sure it is disabled if you are a Jira administrator by going to

  1. Choose  > System
  2. Select General Configuration to open the Administration page. 
  3. Click the Edit Settings button
  4. Scroll down to the Contact Administrators Form and select OFF
  5. Scroll to the bottom of the page and click the Update button for this setting to take affect.

More details on this option in Configuring Jira application options - Atlassian Documentation

If this option is enabled, and Jira is setup to use an SMTP mail server, it is possible that one avenue of this vulnerability could be exploited by an unauthenticated user in Jira.   There are additional mitigation steps below, but these apply to authenticated users that require Jira administrator permission levels to exploit. 

 

Affected versions:

  • 4.4.x

  • 5.x.x

  • 6.x.x

  • 7.0.x

  • 7.1.x

  • 7.2.x

  • 7.3.x

  • 7.4.x

  • 7.5.x

  • 7.6.x before 7.6.14 (the fixed version for 7.6.x)

  • 7.7.x

  • 7.8.x

  • 7.9.x

  • 7.10.x

  • 7.11.x

  • 7.12.x

  • 7.13.x before 7.13.5 (the fixed version for 7.13.x)

  • 8.0.x before 8.0.3 (the fixed version for 8.0.x)

  • 8.1.x before 8.1.2 (the fixed version for 8.1.x)

  • 8.2.x before 8.2.3 (the fixed version for 8.2.x)

 

Fixed Jira Server & Jira Data Center Versions:

  • 7.6.14
  • 7.13.5
  • 8.0.3
  • 8.1.2
  • 8.2.3

 

Mitigation

If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

  1. Disable the Contact Administrators Form; and
  2. Block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see the KB: How to block access to a specific URL at Tomcat).

After upgrading Jira to a fixed version, you can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.

 

Additional information

0 comments

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events