=================================================================== CERT-Renater Note d'Information No. 2023/VULN051 _____________________________________________________________________ DATE : 03/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jira Service Management Server and Data Center versions prior to 5.3.3, 5.4.2, 5.5.1, 5.6.0. ====================================================================https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-2023-02-01-1188786458.html _____________________________________________________________________ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) The Atlassian Community is here for you. Ask the community Summary CVE-2023-22501 - Broken Authentication vulnerability in Jira Service Management Advisory Release Date 01 February 2023 10:00 AM PDT (Pacific Time, -7 hours) Product Jira Service Management Server Jira Service Management Data Center CVE ID(s) CVE-2023-22501 Summary of Vulnerability This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1 5.5.0 An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: If the attacker is included on Jira issues or requests with these users, or If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account. The issue can be tracked here: JSDSERVER-12312 - Critical severity authentication vulnerability - CVE-2023-22501 Published Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability. Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Affected Versions Jira Service Management Server and Data Center versions 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0 are affected by this vulnerability. Product Affected Versions Jira Service Management Server and Data Center 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1 5.5.0 Fixed Versions Product Fixed Versions Jira Service Management Server and Data Center 5.3.3 5.4.2 5.5.1 5.6.0 or later What You Need to Do Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details). For a full description of the latest version of Jira Service Management Server and Data Center, see the release notes. You can download the latest version of Jira Service Management and Data Center from the download center. For Frequently Asked Questions (FAQ), click here. Mitigation Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround. Jira Service Management Versions JAR File 5.5.0 servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar 5.4.0, 5.4.1 servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar 5.3.0, 5.3.1, 5.3.2 servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar To update the servicedesk-variable-substitution-plugin JAR file: Download the version-specific JAR file from the table above. Stop Jira. Copy the JAR file into your Jira home directory. For Server: /plugins/installed-plugins For Data Center: /plugins/installed-plugins Start Jira. Detection Atlassian cannot confirm if your instance has been affected by this vulnerability, but there are some steps you can follow to investigate your instances for potential unauthorized access. You can see the detailed steps outlined on the Frequently Asked Questions (FAQ) page here. Support For Frequently Asked Questions (FAQ), click here. If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. References Security Bug fix Policy As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. Last modified on Feb 1, 2023 ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================