Atlassian has warned Jira Data Center users of a critical vulnerability, offering attackers the opportunity for arbitrary remote code execution – and they're easily exploited over the network.
"This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14)," Atlassian said in a security bulletin published late last night.
"Atlassian rates the severity level of this vulnerability as critical," it continued, the highest on its four-point severity scale following the vulnerability being given a CVSS score of 9.8 – just below the 10-point maximum.
"Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011, could execute arbitrary code of their choice in Jira through deserialisation due to a missing authentication vulnerability," the company continued.
"While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service."
First released in 2003 by Greg Luck, the palindromic Ehcache is an open-source Java distributed cache designed to boost performance – but a lack of authentication in Atlassian's implementation left it wide open to exploitation.
- There is no escape: Atlassian to send Jira into places only Excel dares to tread
- You like Jira that much? Atlassian goes full Service Management with platform, promises Service Desk is fine
- More evidence your work/life balance has gone to $%£*: Atlassian says user-interface interactions show hours tacked on to workday
- Atlassian pulls the plug on server licences, drags customers to the cloud
The flaw is severe, and to Atlassian's chagrin is likely to hurt the biggest of its customers: those running the Data Center family of products. "Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected," Atlassian confirmed.
"Jira Cloud customers are not affected. Jira Service Management Cloud customers are not affected."
Atlassian is recommending that all Jira Data Center users apply "the use of firewalls or similar technologies" to lock down access to ports 40001 and 40011 with immediate effect, regardless of whether its fix for the flaw is installed – though warns that "Data Center cluster nodes still need to be able to connect to other cluster nodes' Ehcache ports."
"Restricting access to ports isn't always as simple as it sounds," ESET UK security expert Jake Moore told The Register. "Most people in the industry will know that ports should be restricted or blocked that are not in use or essential to the day-to-day running of a network.
"But in reality some will get missed and cause a potential vulnerability. Updating to the latest patch is, needless to say, vital for any affected users. but it comes also as a reminder to check all open ports to prevent further risks."
Those running Jira Data Center are advised to upgrade to version 8.17.0 or higher, while Jira Service Management Data Center users should be looking to upgrade to 4.17.0 or higher to fix the vulnerability.
"If you cannot upgrade to 8.17.0, then upgrade to 8.5.16 or 8.13.8," the company told Jira Centre users, while adding for Jira Service Management Data Center users: "If you cannot upgrade to 4.17.0, then upgrade to 4.5.16 or 4.13.8."
The vulnerability was reported to Atlassian by security researcher Harrison Neal, who had previously disclosed vulnerabilities to companies including HPE and IBM through Trend Micro's Zero Day Initiative.
Atlassian did not respond to a request for additional comment in time for publication. ®