Vulnerability in Jira Service Management Server and Data Center - CVE-2023-22501
Dear customer,
on the 1st of February 2023 at 8 PM CEST, Atlassian issued a Security Advisory for Jira Service Management Server and Jira Service Management Data Center.
Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.
What you need to know
This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server et Data Center.
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With public signup enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:
If the attacker is included on Jira issues or requests with these users, or
If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.
Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.
Affected Versions
The following versions are affected by this vulnerability:
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
Fixed Versions
Product | Fixed Versions |
|---|---|
Jira Service Management Server and Data Center |
|
What should I do?
You use Jira Service Management Server or Data Center in a version listed in Affected Versions.
Upgrade
Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details).
For a full description of the latest version of Jira Service Management Server and Data Center, see the release notes. You can download the latest version of Jira Service Management and Data Center from the download center.
Workaround, Mitigation
Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability.
If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround.
Jira Service Management Versions | JAR File |
|---|---|
5.5.0 | |
5.4.0, 5.4.1 | |
5.3.0, 5.3.1, 5.3.2 |
To update the servicedesk-variable-substitution-plugin JAR file:
Download the version-specific JAR file from the table above.
Stop Jira.
Copy the JAR file into your Jira home directory
For the Server edition:
<Jira_Home>/plugins/installed-pluginsFor the Data Center edition:
<Jira_Shared>/plugins/installed-plugins
Start Jira.
You use Jira Service Management Cloud.
You are not affected by the vulnerability.
No need for actions
You use Jira Server or Jira Data Center on servers operated by bitvoodoo
Mitigation
The mitigation has been implemented to secure instances hosted on the bitvoodoo cloud.
Update
LTS Update Package Customers will get contacted to discuss the need of an update.
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.