Workaround for CVE-2019-14994
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
Platform Notice: Server, Data Center, and Cloud By Request - This article was written for the Atlassian server and data center platforms but may also be useful for Atlassian Cloud customers. If completing instructions in this article would help you, please contact Atlassian Support and mention it.
サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
問題
Affected Jira Service Management versions in CVE-2019-14994 will allow non-application access users - Service Management Customers to path traverse to see restricted issues in the Jira instance.
This allows Service Management Customers who normally don't have access to tickets that are not their own to view details of tickets contained in the XML generated results in all Jira Service Management projects.
Jira projects will be affected if their Browse Project permission is set to Group - Anyone.
影響バージョン
All versions before 3.9.16
3.10.x
3.11.x
3.12.x
3.13.x
3.14.x
3.15.x
3.16.x before 3.16.8 (the fixed version for 3.16.x)
4.0.x
4.1.x before 4.1.3 (the fixed version for 4.1.x)
4.2.x before 4.2.5 (the fixed version for 4.2.x)
4.3.x before 4.3.4 (the fixed version for 4.3.x)
- 4.4.0
Permanent resolution below along with workarounds if immediate upgrade is not possible
ソリューション
Upgrade to fixed version of Jira Service Management
3.9.16
3.16.8
4.1.3
4.2.5
4.3.4
4.4.1
回避策
Block path traversals or limit tickets from Jira projects.
Workaround to stop Jira project returned in the resulting XML
Set all Jira projects' Browse Project permission to certain groups
- Go to Project Settings → Permissions
- Set Browse Project permission to groups that should only have access to their respective Jira projects.
Workaround 1.
Redirect requests to Jira containing .. to a safe URL
Add the following to the
<urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:<rule> <from>(?s)^/.*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>urlrewrite.xmlを保存します。- Jira を再起動します。
Workaround 2.
Block requests to Jira containing .. at the reverse proxy or load balancer level
Apache
Add the following into the .conf file that contains the virtualhost that proxies to Jira
<LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch>example below -
<VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>- Restart your Apache proxy
NGINX
Add the following into the .conf file that contains the server block that proxies to Jira inside location block
if ($uri ~* "/.*\.\."){ return 405;}example below -
location /jira { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://ipaddress:8080/jira; client_max_body_size 10M; if ($uri ~* "/.*\.\."){ return 405;} }- Restart your NGINX