A Vulnerability in Jira Server Could Allow for Server-Side Template Injection
MS-ISAC ADVISORY NUMBER:
2019-072
DATE(S) ISSUED:
07/11/2019
OVERVIEW:
A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. JIRA is tool designed for bug tracking, tracking related issues and project management. Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.
THREAT INTELLIGENCE:
There is a publicly available exploit for this vulnerability.
SYSTEMS AFFECTED:
- JIRA Servers & Data Centers 7.x versions prior to 7.6.14 and 7.13.5
- JIRA Servers & Data Centers 8.0.x versions prior to 8.0.3
- JIRA Servers & Data Centers 8.1.x versions prior to 8.1.2
- JIRA Servers & Data Centers 8.2.x versions prior to 8.2.3
RISK:
Government:
- Large and medium government entities: HIGH
- Small government entities: MEDIUM
Businesses:
- Large and medium business entities: HIGH
- Small business entities: MEDIUM
Home Users:
LOW
TECHNICAL SUMMARY:
A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. This vulnerability occurs when an SMTP server has been configured in Jira and a malicious user has access to either the “Contact Administrators Form” or has “JIRA Administrators” access. If an attacker has administrator access, they can exploit this vulnerability via Velocity Templates. This vulnerability exists due to improper input validation within the subject field. When an attacker sends a specially crafted payload to the subject field within the “Contact Administrators Form” or the Velocity template, the desired command injected will be executed in the context of the server. Successful exploitation of this vulnerability will enable command injection to the vulnerable server.
Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate updates provided by Jira to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.