===================================================================                                  CERT-Renater

                      Note d'Information No. 2022/VULN223

_____________________________________________________________________

DATE                : 30/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jira Core Server,
            Jira Software Server, and Jira Software Data Center
              versions prior to 8.13.22, 8.20.10, 8.22.4, 9.0.0.

====================================================================https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html
_____________________________________________________________________

Jira Server Security Advisory 29nd June 2022


The Atlassian Community is here for you.

Ask the community

Summary
	
CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin 
for Jira Data Center and Server


Advisory Release Date
	
29 Jun 2022 10:00 AM PDT (Pacific Time, -7 hours)


Product
	

Jira:

     Jira Core Server
     Jira Software Server
     Jira Software Data Center

Jira Service Management (JSM):

     Jira Service Management Server
     Jira Service Management Data Center


Affected Versions
	
Jira Core Server, Jira Software Server, and Jira Software Data Center:

     Versions after 8.0 and before 8.13.22
     8.14.x
     8.15.x
     8.16.x
     8.17.x
     8.18.x
     8.19.x
     8.20.x before 8.20.10
     8.21.x
     8.22.x before 8.22.4

Jira Service Management Server and Data Center:

     Versions after 4.0 and before 4.13.22
     4.14.x
     4.15.x
     4.16.x
     4.17.x
     4.18.x
     4.19.x
     4.20.x before 4.20.10
     4.21.x
     4.22.x before 4.22.4

Jira Cloud and Jira Service Management Cloud are not affected.


Fixed Versions
	

Jira Core Server, Jira Software Server, and Jira Software Data Center:

     8.13.x >= 8.13.22
     8.20.x >= 8.20.10
     8.22.x >= 8.22.4
     9.0.0

Jira Service Management Server and Data Center:

     4.13.x >= 4.13.22
     4.20.x >= 4.20.10
     4.22.x >= 4.22.4
     5.0.0


CVE ID(s)
	
CVE-2022-26135


Summary of Vulnerability

This advisory discloses a high severity security vulnerability.

Jira Server and Data Center versions before 8.13.22, from version 8.14.0 
before 8.20.10, and from version 8.21.0 before 8.22.4 are
affected by this vulnerability.

Jira Service Management Server and Data Center versions before 4.13.22, 
from version 4.14.0 before 4.20.10, and from version 4.21.0 before 
4.22.4 are affected by this vulnerability.


Atlassian Cloud sites are not affected.

If your Jira site is accessed via an atlassian.net domain, you are not 
affected by the vulnerability.

Customers who have upgraded to version 8.13.22, 8.20.10, 8.22.4, or 
9.0.0 of Jira Server or Data Center are not affected.

Customers who have upgraded to version 4.13.22, 4.20.10, 4.22.4, or 
5.0.0 of Jira Service Management Server or Data Center are not affected.

Customers who have downloaded and installed any versions listed in 
affected versions must upgrade their installations to fix this 
vulnerability.

Please upgrade your installations immediately.
CVE-2022-26135 Full Read SSRF in Jira Server

Description

A full-read server-side request forgery exists in Mobile Plugin for 
Jira, which is bundled with Jira and Jira Service Management. It is 
exploitable by any authenticated user (including a user who joined via 
the sign-up feature). It specifically affects the batch HTTP endpoint 
used in Mobile Plugin for Jira. It is possible to control the HTTP 
method and location of the intended URL through the method parameter in 
the body of the vulnerable endpoint.

All versions of Jira and Jira Service Management prior to the fixed 
version listed above are affected by this vulnerability. These issues 
can be tracked here:

     JRASERVER-73863 - Full Read SSRF in Mobile Plugin CVE-2022-26135 
Published
     JSDSERVER-11840 - Full Read SSRF in Mobile Plugin CVE-2022-26135 
Published
This does not affect the other System app named Jira Mobile.


Severity

Atlassian rates the severity level of this vulnerability as high, 
according to the scale published in our Atlassian severity levels. The 
scale allows us to rank the severity as critical, high, medium, or low.

Depending on the environment the Jira instance is deployed in, the 
impact of this bug varies. For example, when deployed in AWS, it could 
leak sensitive credentials.

This is our assessment and you should evaluate its applicability to your 
own IT environment.


Acknowledgements

We would like to acknowledge Shubham Shah and Dylan Pindur of ssetnote 
for finding this vulnerability.


Fix

To address this issue, we have released:

     Jira Core Server, Jira Software Server, and Jira Software Data 
Center versions:

         8.13.22
         8.20.10
         8.22.4         9.0.0
     Jira Service Management Server and Data Center versions:
         4.13.22
         4.20.10
         4.22.4         5.0.0

You can download the latest versions from the download pages for Jira 
Core, Jira Software, or Jira Service Management.

Please note, these are the first versions that include the fix for 
CVE-2022-26135. More current bug fix releases are available for the 
releases listed above. Atlassian recommends upgrading to the most 
current bug fix version.


Mitigation

Installing a fixed version of Jira or Jira Service Management is the 
surest way to remediate CVE-2022-26135. If you are unable to immediately 
upgrade Jira or Jira Service Management, then as a temporary workaround, 
you can manually upgrade Mobile Plugin for Jira Data Center and Server 
(com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified 
in this section (or disable the plugin).

The following versions of the Mobile Plugin for Jira app contain a fix 
for this issue:

     3.1.5 (only compatible with Jira 8.13.x and JSM 4.13.x)
     3.2.15 (only compatible with Jira 8.20.x - 8.22.x, only 
compatible with JSM 4.20.x - 4.22.x)

If you’re either on Jira 8.13.x or JSM 4.13.x and have previously 
upgraded beyond the default app version of 3.1.x, upgrading the app to 
the fixed 3.1.5 version will effectively roll back any bug-fixes and 
features introduced in later versions, including JSM support.
How to upgrade the app to the fixed 3.1.5 version (from 3.2.x)

     Download the fixed version (3.1.5) of the app (you’ll save this as 
a JAR file) from the Atlassian Marketplace

     During a maintenance window
         Shut down Jira (all nodes if you have Data Center 
installed)
         Remove plugin.<value>.jira-mobile-rest-3.2.x.jar from:
             Server: <Jira Home>/plugins/installed-plugins
             Data Center: <Shared Home>/plugins/installed-plugins
         Start Jira
         Navigate to Admin > Manage Apps
         Select Upload app
         Select the JAR file you downloaded in Step 1

How to upgrade the app

Scenario A: User-installed apps

If you find the “Mobile Plugin for Jira” app located in the 
User-installed apps section, you can just click Update to get the latest 
version.

Scenario B: System apps

If you find the “Mobile Plugin for Jira” app located in the System apps 
section, follow these instructions to manually update the app (no 
restart required!):

     Download a fixed version of the app (you’ll save this as      a JAR 
file) from the Atlassian Marketplace that is      compatible with your 
Jira version
     During a maintenance window:
         Navigate to Admin > Manage Apps
         Select Upload app
         Select the JAR file you downloaded in Step 1

After the install, the new version will be displayed as a user-installed 
app instead of a system app.

The previous JAR file can remain in the directory <Jira 
Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins without 
further action.


Support

If you did not receive an email for this advisory and you wish to 
receive such emails in the future, go to https://my.atlassian.com/email 
and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please read 
our FAQ for CVE-2022-26135. If you have further questions, please raise 
a support request.


References

Security Bug fix Policy

	

As per our new policy, critical security bug fixes will be back ported 
in accordance with 
https://www.atlassian.com/trust/security/bug-fix-policy.  We will 
release new maintenance releases for the versions covered by the policy 
instead of binary patches.


Binary patches are no longer released.
Severity Levels for security issues

	
Atlassian security advisories include a severity level and a CVE 
identifier. This severity level is based on our self-calculated CVSS 
score for each specific vulnerability. CVSS is an industry-standard 
vulnerability metric. You can also learn more about CVSS at FIRST.org.

End-of-Life Policy
	

  Our end-of-life policy varies for different products. Review the 
policy for details.


Last modified on Jun 30, 2022

========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================