bitvoodoo Advisories BVADVIS

Contents


Date

 

Product
  • Jira Service Management Data Center
  • Jira Service Management Server
Vulnerability

high (8.4)

CVECVE-2019-13990
Official linkhttps://confluence.atlassian.com/security/cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

Dear customer,

On Oct 17 2023 10:00 PDT, Atlassian issued a Security Advisory for Jira Service Management Server and Data Center.
The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contain vulnerable versions of Terracotta Quartz Scheduler which allow authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, Atlassian's internal assessment of this vulnerability is scored as high severity.

Atlassian is not calling for immediate action to be taken from the bulletin.

Atlassian rates the severity level of this vulnerability as high and not critical.

Affected Versions

Jira Service Management Data Center and Server

  • 4.20.0
  • 4.20.1
  • 4.20.10
  • 4.20.11
  • 4.20.12
  • 4.20.13
  • 4.20.14
  • 4.20.15
  • 4.20.16
  • 4.20.17
  • 4.20.18
  • 4.20.19
  • 4.20.2
  • 4.20.20
  • 4.20.21
  • 4.20.22
  • 4.20.23
  • 4.20.24
  • 4.20.25
  • 4.20.3
  • 4.20.4
  • 4.20.5
  • 4.20.6
  • 4.20.7
  • 4.20.8
  • 4.20.9
  • 4.21.0
  • 4.21.1
  • 4.22.0
  • 4.22.1
  • 4.22.2
  • 4.22.3
  • 4.22.4
  • 4.22.6
  • 5.0.0
  • 5.1.0
  • 5.1.1
  • 5.2.0
  • 5.2.1
  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.3.3
  • 5.4.0
  • 5.4.1
  • 5.4.2
  • 5.4.3
  • 5.4.4
  • 5.4.5
  • 5.4.6
  • 5.4.7
  • 5.4.8
  • 5.4.9
  • 5.5.1
  • 5.6.0
  • 5.7.0
  • 5.7.1
  • 5.8.0
  • 5.8.1
  • 5.9.0
  • 5.10.0


What should I do?

You use Jira Service Management Data Center and Server

Atlassian is not calling for immediate action to be taken from the bulletin.

Atlassian rates the severity level of this vulnerability as high and not critical.


Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality.


Update

Atlassian addresses this issue with following versions:

  • 4.20.26 or later
  • 5.10.1 or later
  • 5.4.10 or later
  • 5.7.2 or later
  • 5.8.2 or later
  • 5.9.2 or later

You use Jira Service Management Cloud

You are not affected by this Security Advisory. No need for action.


Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.



bitvoodoo Advisories BVADVIS