-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html CVE ID: * CVE-2020-36239 Products: Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center. Affected Versions - Jira Data Center, Jira Core Data Center, and Jira Software Data Center: 6.3.0 <= version < 8.5.16 8.6.0 <= version < 8.13.8 8.14.0 <= version < 8.17.0 Affected Versions - Jira Service Management Data Center: 2.0.2 <= version < 4.5.16 4.6.0 <= version < 4.13.8 4.14.0 <= version < 4.17.0 Fixed Versions - Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions: * Version 8.5.16 for 8.5.x LTS * Version 8.13.8 for 8.13.x LTS * Version 8.17.0 Fixed Versions - Jira Service Management Data Center * Version 4.5.16 for 4.5.x LTS * Version 4.13.8 for 4.13.x LTS * Version 4.17.0 Summary: This advisory discloses a critical severity security vulnerability introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14). Affected versions of Jira Data Center and Jira Service Management Data Center can be found in the table above (see “Affected Versions”). Customers who have downloaded and installed any versions listed in the Affected Versions section must upgrade their installations immediately to fix this vulnerability: * Jira Data Center * Jira Core Data Center * Jira Software Data Center * Jira Service Management Data Center Atlassian Cloud is not affected by the issue described in this email. Jira Cloud is not affected. Jira Service Management Cloud is not affected. Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected by the issue described in this email. Missing Authentication for Ehcache RMI - CVE-2020-36239 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1][2], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. [2] The default Ehcache port is 40001 but it can be configured to be on a different port, see https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-parametersCluster.propertiesfileparameters for more details. Fix: To address these issues, we've released the following versions containing a fix: For Jira Data Center, Jira Core Data Center, and Jira Software Data Center: * 8.5.16 that contains a fix for this issue * 8.13.8 that contains a fix for this issue * 8.17.0 that contains a fix for this issue For Jira Service Management Data Center: * 4.5.16 that contains a fix for this issue * 4.13.8 that contains a fix for this issue * 4.17.0 that contains a fix for this issue Remediation: Atlassian recommends that you upgrade to the latest version. We also recommend restricting access to the Ehcache RMI ports as per https://confluence.atlassian.com/adminjiraserver/installing-jira-data-center-938846870.html#InstallingJiraDataCenter-Security & the full advisory for this issue - https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html#JiraDataCenterAndJiraServiceManagementDataCenterSecurityAdvisory20210721-WhatYouNeedtoDo . Fixed versions can be downloaded at: * Jira Core Server: https://www.atlassian.com/software/jira/core/download * Jira Software Data Center: https://www.atlassian.com/software/jira/update * Jira Service Management Data Center: https://www.atlassian.com/software/jira/service-management/update Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAmD9/10XHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqD23xAAhUzZvFJdPI2/ypg8GYq3vptP Y6sE89dxn2tpCJsnXdAYdWyKBFzTX3bpp7WVf3CvLn970bVi+BFGqFj0/O0JPtEz bdlLddX9WqCjCmvKL13xSfjUVhJDKY461HL6L+tOO/YQx3xvEZLTKD9gNRv59cVA wKoqA/OfFHu62iljz/z3HZn7a/YJ9SbQfBD+1vbfgWvWJZgR5dnCrnLNYpwiD1gO 9Yy7nXXkz6fo2XYOkB5yem578II0BusfcWNQ3r5nEn4DFUSo6zBMKr1PBdX0zyVE uYucexb4PqefxsUfMjmrXBmn8dmgNHRcQmVoP2pSUDxwz9qQ5pMiCVlSJpgwsEPD /kzARUxyujMmVgzPcrbNdtQIIzIf6US/QQzGsbuhraF6LY/+/wiNvtKPOk9SyByQ 1LDw+vCa7HXbMDUisKDHgsbc0MHrcD0wWpMQnKwk0Jay6TXkqBg3oUY+wbTcLkKr X+IhYasbuVpB/Kz1gV8Xy62m80GZRbWyxdIrJS43fHw0tnAEq6jy+WRsaBZHtIL0 TF5bENkeBOx7KkPpxmclm9Nu7ZosAjxFfGw5hHQ9ym4pRMZ5vc2LagL717haQMk/ orbuMmmJ00LF3IqEQ2cQqs/I8Y4Zmnf1fk59GL303UJGVErvcfGSnIKLhAkXzcF4 lLsTKPa7SJl3NyTztO4= =OR0i -----END PGP SIGNATURE-----