===================================================================== CERT-Renater Note d'Information No. 2010/VULN504 _____________________________________________________________________ DATE : 07/12/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running JIRA versions prior to 4.2.1. ====================================================================== http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-12-06 ______________________________________________________________________ In this advisory: * XSS Vulnerabilities in URL Query Strings * XSRF Vulnerabilities * Vulnerability in Secure Tokens * Vulnerability in Component Data XSS Vulnerabilities in URL Query Strings Severity Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk Assessment We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect JIRA instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA. XSS vulnerabilities allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web. Vulnerability Some values from JIRA URLs were being injected directly into JavaScript, potentially enabling an attacker to add scripts to another user's response. All versions of JIRA prior to 4.2.1 are affected. Risk Mitigation We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below. Fix These issues have been fixed in JIRA 4.2.1 and later, and are available as a patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see JRA-22493). XSRF Vulnerabilities Severity Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk Assessment We have identified and fixed several cross-site request forgery (XSRF/CSRF) vulnerabilities in JIRA. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA. * An attacker might take advantage of the vulnerability to fraudulently act on behalf of a legitimate user. You can read more about XSRF/CSRF attacks at cgisecurity, wikipedia and other places on the web. Vulnerability Some JIRA administration screens did not have XSRF protection. A targetted attack on a vulnerable system could result in an attacker gaining access to user credentials, potentially giving them access to the JIRA data and system. All versions of JIRA prior to 4.2.1 are affected. Risk Mitigation We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below. Fix JIRA's XSRF protection has been extended to cover previously unprotected areas. The known XSRF issues have been fixed in JIRA 4.2.1 and later, and are available as a patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see JRA-22493). Vulnerability in Secure Tokens Severity Atlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk Assessment We have identified and fixed a vulnerability relating to the creation of secure tokens, which are used in various authentication mechanisms. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA. * Unauthorised users may be able to gain access to JIRA on behalf of a legitimate user. Vulnerability A highly skilled attacker could potentially forge a secure token, allowing them to impersonate a legitimate user. All versions of JIRA prior to 4.2 are affected. Risk Mitigation We strongly recommend upgrading your JIRA installation to fix this vulnerabily. Please see the 'Fix' section below. Fix This issue has been fixed in JIRA 4.2 and later. The random number-generator that is used to generate tokens has been hardened. Vulnerability in Component Data Severity Atlassian rates this vulnerability as low, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk Assessment We have identified and fixed a data vulnerability in JIRA. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of JIRA. * Unauthorised users may be able to view a list of components defined in your JIRA system. Vulnerability Component data could be view by unauthorised users. All versions of JIRA prior to 4.2 are affected. Risk Mitigation We strongly recommend upgrading your JIRA installation to fix this vulnerabily. Please see the 'Fix' section below. Fix This issue has been fixed in JIRA 4.2 and later. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================