Workaround for CVE-2019-15004
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
This workaround fixes CVE-2019-14994 and CVE-2019-15004
This workaround will also block attachments that contain .. in the file name. To avoid this, attachments can be renamed to remove .. in the file name or upgrade to a fixed version so the workaround can be removed
問題
Affected Jira Service Management versions in CVE-2019-15004 will allow non-application access users - Service Management Customers to see restricted information in the Jira instance.
This affects Jira Service Management portals that have the "Anyone can email the service project or raise a request in the portal" setting enabled, exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance.
影響バージョン
- All versions before 3.9.17
- 3.10.x
- 3.11.x
- 3.12.x
- 3.13.x
- 3.14.x
- 3.15.x
- 3.16.x before 3.16.11 (the fixed version for 3.16.x)
- 4.0.x
- 4.1.x
- 4.2.x before 4.2.6 (the fixed version for 4.2.x)
- 4.3.x before 4.3.5 (the fixed version for 4.3.x)
- 4.4.x before 4.4.3 (the fixed version for 4.4.x)
- 4.5.x before 4.5.1 (the fixed version for 4.5.x)
Permanent resolution below along with workarounds if immediate upgrade is not possible
ソリューション
Upgrade to fixed version of Jira Service Management
3.9.17
3.16.11
4.2.6
4.3.5
4.4.3
- 4.5.1
回避策
Block path traversals and authorization byppass.
Workaround 1.
Redirect requests to Jira containing .. to a safe URL
Add the following to the
<urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:<rule> <from>(?s)^/.*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>urlrewrite.xmlを保存します。- Jira を再起動します。
Workaround 2.
Block requests to Jira for path traversal at the reverse proxy or load balancer level
Apache
Add the following into the .conf file that contains the virtualhost that proxies to Jira
<LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch>example below -
<VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>- Restart your Apache proxy
NGINX
Add the following into the .conf file that contains the server block that proxies to Jira inside location block
if ($uri ~* "/.*\.\."){ return 405;}example below -
location /jira { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://ipaddress:8080/jira; client_max_body_size 10M; if ($uri ~* "/.*\.\."){ return 405;} }- Restart your NGINX