Jira Data Center user? Here's a critical Ehcache vulnerability to spoil your day

Update now – and maybe firewall the thing off while you're at it

Atlassian has warned Jira Data Center users of a critical vulnerability, offering attackers the opportunity for arbitrary remote code execution – and they're easily exploited over the network.

"This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14)," Atlassian said in a security bulletin published late last night.

"Atlassian rates the severity level of this vulnerability as critical," it continued, the highest on its four-point severity scale following the vulnerability being given a CVSS score of 9.8 – just below the 10-point maximum.

"Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011, could execute arbitrary code of their choice in Jira through deserialisation due to a missing authentication vulnerability," the company continued.

"While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service."

First released in 2003 by Greg Luck, the palindromic Ehcache is an open-source Java distributed cache designed to boost performance – but a lack of authentication in Atlassian's implementation left it wide open to exploitation.

The flaw is severe, and to Atlassian's chagrin is likely to hurt the biggest of its customers: those running the Data Center family of products. "Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected," Atlassian confirmed.

"Jira Cloud customers are not affected. Jira Service Management Cloud customers are not affected."

Atlassian is recommending that all Jira Data Center users apply "the use of firewalls or similar technologies" to lock down access to ports 40001 and 40011 with immediate effect, regardless of whether its fix for the flaw is installed – though warns that "Data Center cluster nodes still need to be able to connect to other cluster nodes' Ehcache ports."

"Restricting access to ports isn't always as simple as it sounds," ESET UK security expert Jake Moore told The Register. "Most people in the industry will know that ports should be restricted or blocked that are not in use or essential to the day-to-day running of a network.

"But in reality some will get missed and cause a potential vulnerability. Updating to the latest patch is, needless to say, vital for any affected users. but it comes also as a reminder to check all open ports to prevent further risks."

Those running Jira Data Center are advised to upgrade to version 8.17.0 or higher, while Jira Service Management Data Center users should be looking to upgrade to 4.17.0 or higher to fix the vulnerability.

"If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8," the company told Jira Centre users, while adding for Jira Service Management Data Center users: "If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8."

The vulnerability was reported to Atlassian by security researcher Harrison Neal, who had previously disclosed vulnerabilities to companies including HPE and IBM through Trend Micro's Zero Day Initiative.

Atlassian did not respond to a request for additional comment in time for publication. ®

Broader topics

Narrower topics

Other stories you might like

  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining science, no

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading

Biting the hand that feeds IT © 1998–2022