EXECUTIVE SUMMARY:

A critical vulnerability in Atlassian’s Jira Service Management Server and Data Center could allow an unauthenticated cyber attacker to impersonate existing users and to obtain remote system access. The vulnerability has been given a score of 9.4, indicating extreme severity.

According to Atlassian, the security issue affects versions 5.3.0 through 5.5.0. “Under certain circumstances…” hackers may be able to get access to Jira Service Management, said the company.

More specifically, “With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into.”

Atlassian vulnerability use-cases

The vulnerability could be used to target bot accounts due to their frequent interactions with other users and their increased probability of being included in Jira issues or requests or receiving emails with a “View Request” link. Either condition is necessary for the acquisition of signup tokens.

Atlassian vulnerability updates

Atlassian has released updates addressing the issue. Admins may wish to upgrade to versions 5.3.3, 5.4.2, 5.5.1 and or 5.6.0 or later.

In the event that an update cannot be installed immediately, Atlassian has provided a workaround in the form of a JAR file that can be used to manually upgrade the “servicedesk-variable-substitution-plugin” as noted in the steps here:

1. Download the version-specific JAR from the advisory

2. Stop Jira

3. Copy the JAR file into the Jira home directory (“<Jira_Home>/plugins/installed-plugins” for servers or “<Jira_Shared/plugins/installed-plugins”> for data centers)

4. Restart the service

Atlassian has also published an FAQ page. The page explains that the upgrade is recommended, even if the instances are not exposed to the public internet or even if they don’t have an external user directory with single sign-on (SSO) enabled.

Know that password changes performed by a cyber attacker will not generate an email notification for the account owner. This complicates the matter of detecting a compromise.

However, after applying the security update or JAR file workaround, admins can check on which accounts logged in and updated passwords since the previous version’s install, potentially revealing unauthorized access to accounts.

Atlassian cloud domain

Atlassian stated that Jira sites hosted on the cloud via an Atlassian[.]net domain are not affected by the flaw. No action required for such accounts.

More information

Atlassian recommends that administrators force a password reset on all potentially breached users and ensure that email addresses are correct.

In the event that a breach appears to have occurred, Atlassian recommends immediately shutting down and disconnecting the compromised server from the network. This should minimize the extent of an attack’s impact.

Atlassian security

The disclosure arrives just shy of three months after the company revealed and closed two critical security holes in Bitbucket Server, Data Center and Crowd products, which could have been exploited to gain code execution and invoke privileged API endpoints.

Given the allure of the flaws in Atlassian products for threat actors, it’s critical that users upgrade installations in order to mitigate threats. Get the full story from HackerNews.com.

If your organization needs to strengthen its security strategy, be sure to attend Check Point’s upcoming CPX 360 event. Register here.

Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter. 

RELATED ARTICLESMORE FROM AUTHOR