Workaround for CVE-2019-15001
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "Jira Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
影響を受けるバージョン
- 7.0.10 から 7.6.15
- 7.7.0 から 7.13.7
- 8.1.0 から 8.1.2
- 8.2.0 から 8.2.4
- 8.3.0 から 8.3.3
- 8.4.0
ソリューション
この問題に対処するため、Jira Server および Jira Data Center の以下のバージョンをリリースしました。
- 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
- 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
- 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
- 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
- 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
- 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update
JIRA のアップグレード
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the release notes. You can download the latest version of Jira Server & Jira Data Center from the download center.
回避策
Workaround 1 - Tomcat (requires restart)
Block the endpoint from being accessed directly in the Tomcat configuration files, only for the PUT method:
Shut down the application, and backup your $application-install/atlassian-jira/WEB-INF/web.xml file
Add the following block inside the <web-app> element:
<security-constraint> <web-resource-collection> <url-pattern>/rest/jira-importers-plugin/1.0/demo/create</url-pattern> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint /> </security-constraint>
Re-start the Jira application
If you try to send a PUT request to the end point <Jira_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA, will return a 403 error with Jira HTML page stating that "Access to the requested resource has been denied"
Workaround 2 - Proxy
Block the endpoint from being accessed on the proxy server side, only for the PUT method (Tested on Apache HTTPD):
Open the virtual host configuration
Add the following inside the virtual host to block the endpoint /rest/jira-importers-plugin/1.0/demo/create
<LocationMatch "/rest/jira-importers-plugin/1.0/demo/create"> <LimitExcept GET DELETE POST> Deny from all </LimitExcept> </LocationMatch>
Ensure all connectors pass through the proxy
Apache を再起動する
Example Virtual Host :
<VirtualHost *:80>
ServerName atlassian.com
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
<LocationMatch "/rest/jira-importers-plugin/1.0/demo/create">
<LimitExcept GET DELETE POST>
Deny from all
</LimitExcept>
</LocationMatch>
ProxyPass /jira http://localhost:8080/jira
ProxyPassReverse /jira http://localhost:8080/jira
</VirtualHost>