Enterprotect

View Original

Critical Remote Code Execution Vulnerability in Atlassian's Jira Service Management Server and Data Center

A critical remote code execution vulnerability has been discovered in Atlassian’s Jira Service Management Server and Data Center versions 5.3.0 through 5.5, that could allow an unauthenticated attacker to impersonate other users and gain remote access to the systems. This advisory provides detailed information on the vulnerability, the risks involved, and the recommended steps to be taken to mitigate the threat.

Introduction

Atlassian's Jira Service Management Server and Data Center are widely used for software development, project management, and issue tracking. A critical remote code execution vulnerability (CVE-2023-22501) has been discovered in these products, which could allow an attacker to impersonate other users and gain remote access to the systems.

What is the Threat?

A remote code execution vulnerability exists in the Atlassian's Jira Service Management Server and Data Center versions 5.3.0 through 5.5. An attacker who successfully exploits this flaw will be able to impersonate other users and gain remote access to the systems. This vulnerability has been categorized with a critical severity score of 9.4.

Why is it Noteworthy?

This vulnerability has a high success rate when targeting bot accounts. Upon successful exploitation, the attacker can interact with others within JIRA, add themselves to JIRA issues, as well as request and receive emails using the 'View Request' link. These privileges can then allow them to acquire signup tokens. When a critical vulnerability is identified publicly, attackers will often expedite their attack rate before the vulnerability is resolved.

What is the Exposure or Risk?

Upon successful exploitation, an attacker can change a user’s password without their knowledge, making it difficult for users to detect a compromise. The attacker can then run remote code to install programs, exfiltrate, view, change, or delete data, or create new accounts without the administrator noticing. These privileges give the attacker the tools to conduct a ransomware event or an impersonation event for lateral movements within the environment, that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.

What are the Recommendations?

To mitigate the risk, Enterprotect recommends upgrading to versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0 or later. If for some reason you are unable to upgrade, you can follow the steps below to apply a workaround fix:

  • Download the associated JAR from the Atlassian Security Advisory

  • Stop Jira

  • Copy the JAR file into the Jira home directory ("<Jira_Home>/plugins/installed-plugins" for servers or "<Jira_Shared/plugins/installed-plugins"> for data centers)

  • Restart the service.

References

For more in-depth information about the recommendations, please visit the following links: