A Vulnerability in Jira Server Could Allow for Server-Side Template Injection

ITS Advisory Number: 
2019-073
Date(s) Issued: 
Friday, July 12, 2019
Subject: 
A Vulnerability in Jira Server Could Allow for Server-Side Template Injection
Overview: 

A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. JIRA is tool designed for bug tracking, tracking related issues and project management. Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

 

THREAT INTELLIGENCE:

There is a publicly available exploit for this vulnerability.

 

Systems Affected: 
  • JIRA Servers & Data Centers 7.x versions prior to 7.6.14 and 7.13.5

  • JIRA Servers & Data Centers 8.0.x versions prior to 8.0.3

  • JIRA Servers & Data Centers 8.1.x versions prior to 8.1.2

  • JIRA Servers & Data Centers 8.2.x versions prior to 8.2.3

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. This vulnerability occurs when an SMTP server has been configured in Jira and a malicious user has access to either the "Contact Administrators Form" or has "JIRA Administrators" access. If an attacker has administrator access, they can exploit this vulnerability via Velocity Templates. This vulnerability exists due to improper input validation within the subject field. When an attacker sends a specially crafted payload to the subject field within the "Contact Administrators Form" or the Velocity template, the desired command injected will be executed in the context of the server. Successful exploitation of this vulnerability will enable command injection to the vulnerable server.

 

Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately apply updates provided by Jira to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.