Atlassian asks Customers to Patch Critical Jira Vulnerability

Atlassian is convincing its enterprise customers to patch a critical vulnerability and in many versions of its Jira Data Center and Jira Service Management Data Center products.

The vulnerability tracked as CVE-2020-36239 can provide remote attackers arbitrary code execution abilities, due to a missing authentication error in Jira’s implementation of Ehcache, an open-source element.

Sensitive Remote Code Execution due to Missing Authentication

Yesterday, Atlassian revealed a sensitive vulnerability in its Jira Data Center products. The vulnerability tracked as CVE-2020-36239 facilitates remote unauthenticated attackers to execute arbitrary code in some Jira Data Center products.

In an email broadcast seen by our experts this week, Atlassian is asking their enterprise customers to upgrade their cases ASAP as a means to fix this bug:

Atlassian-asks-Customers-to-Patch-Critical-Jira-Vulnerability-image1

The vulnerability comes from a missing authentication check or in other words unrestricted access to Ehcache RMI ports. Ehcache is a broadly used open-source cache used by Java applications for enhancing performance and stability.

Remote method invocation also known as RMI is a concept in Java similar to remote procedure calls (RPPC) in OOP languages. RMI permits programmers to request systems present in remote objects – like those present within an application running on a shared network, right from their application as they would run a local method or procedure.

All this is complete without the programmer having to worry about implementing the underlying networking functionally, which is where RMI APIs come in handy .In this context, multiple Jira products listed below exposes an Ehcache RMI network service on port 40001 and probable 40011.

Remote attackers can connect to these ports without needing any authentication, and execute arbitrary code of their choice in Jira via object deserialization.

The affected products include:

  1. Jira Data Center
  2. Jira Core Data Center 
  3. Jira Software Data Center, and 
  4. Jira Service Management Data Center

The vulnerability was founded and responsibly reported by Harrison Neal.

Impacted Versions and Remediation Guidance

Specifically, Jira product versions impacted by this vulnerability are:

Fortunately, the main concern does not impact non-Data Center instances of Jira Server Management, Jira Cloud, and Jira Service Management Cloud.

Jira Data Center product users should to the following versions to squash this vulnerability, depending on the version branch they are on:

  • Jira Data Center, Jira Core Data Center, and Jira Software Data Center user: Upgrade to 8.5.16, 8.13.8, or 8.17.0.
  • Jira Service Management Data Centers users: Upgrade to 4.5.16, 4.13.8, or 4.17.0.

For those unable to upgrade their instances, Atlassian has given workarounds in a security advisory. 

Atlassian suggests that customers upgrade to the latest version of the products, and also restrict access to the Ehcache RMI ports.

Atlassian-asks-Customers-to-Patch-Critical-Jira-Vulnerability-image2

Ehcache RMI ports 40001 and 40011 should be shielded using firewalls or the same technologies so that only clusters instances of Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center can access these.

“Where Atlassian strongly advice restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now need a transmit the secret in order to permit access to the Ehcache service,” states Atlassian in a security advisory.

Leave a Reply