Yesterday, the Atlassian Support released the Jira security advisory affecting Jira Server and Jira Data Center. This advisory reveals a critical severity security vulnerability, labeled as CVE-2019-11581, which was introduced in version 4.4.0 of Jira Server and Jira Data Center.
How can one exploit this vulnerability?
For this issue to be exploitable, the attacker needs to meet any one of the following conditions:
- An SMTP server configured in Jira and the Contact Administrators Form is enabled, which will allow the attackers to exploit this issue without authentication.
- An SMTP server configured in Jira and an attacker has “JIRA Administrators” access, where attackers can exploit the issue using JIRA Administrators’ credentials.
In any of the cases, exploitation of this issue helps an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
The official post reads, “All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability.”
To address this issue, the team has fixed this vulnerability in the 8.2.3, 8.1.2, 8.0.3, 7.13.5, 7.6.14 versions of Jira Server and Jira Data Center. Atlassian recommends that users upgrade to the latest version.
How can users quickly mitigate this issue?
For mitigating, users can first disable the Contact Administrators Form and then also block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be easily achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly.
However, blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users. Hence, after upgrading Jira, users can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.
To know more about this news, check out Jira security advisory.