April 21, 2024

A important vulnerability was fastened this week in Jira Service Administration Server, a well-liked IT providers administration platform for enterprises, that would permit attackers to impersonate customers and achieve entry to entry tokens. If the system is configured to permit public sign-up, exterior clients could be affected as properly.

The bug was launched in Jira Service Administration Server and Knowledge Middle 5.3.0, so variations 5.3.0 to five.3.1 and 5.4.0 to five.5.0 are affected. Atlassian has launched fastened variations of the software program however has additionally supplied a workaround that entails updating a single JAR file in impacted deployments. Atlassian Cloud situations should not weak.

Damaged Jira authentication

Atlassian describes the vulnerability, tracked as CVE-2023-22501, as a damaged authentication situation and charges it as important severity in response to its personal severity scale.

“With write entry to a Person Listing and outgoing e-mail enabled on a Jira Service Administration occasion, an attacker might achieve entry to signup tokens despatched to customers with accounts which have by no means been logged into,” the corporate defined in its advisory. “Entry to those tokens could be obtained in two instances: If the attacker is included on Jira points or requests with these customers, or if the attacker is forwarded or in any other case features entry to emails containing a ‘View Request’ hyperlink from these customers.”

Bot accounts that had been created to work with Jira Service Administration are significantly inclined to this situation, the corporate warned. Even when the flaw would not affect customers synced through read-only Person Directories or SSO, customers who work together with the occasion through e-mail are nonetheless affected even when SSO is enabled.

Jira Service Administration can be utilized to arrange and handle a service heart that unifies assist desks throughout completely different departments, corresponding to IT, HR, Finance, or Buyer Service, permitting groups to raised work on shared duties collectively. It additionally permits firms to handle asset, carry out inventories, observe possession and lifecycle, IT groups can handle infrastructure configuration and observe service dependencies, and may construct data bases for self-service. Given the various options that the platform helps and the duties it may be used for in a company surroundings, the probability of numerous workers, contractors and clients having accounts on it are excessive and so is the opportunity of abuse.

Jira Service Administration vulnerability mitigation

The corporate stresses that firms who do not expose Jira Service Administration publicly ought to nonetheless replace to a set model as quickly as potential. If they can not improve the entire system, they need to obtain the fastened servicedesk-variable-substitution-plugin JAR for his or her explicit model, cease Jira, copy the file within the <Jira_Home>/plugins/installed-plugins listing after which begin Jira once more.

As soon as the fastened JAR or the repair model has been put in, firms can search the database for customers with the com.jsm.usertokendeletetask.accomplished property set to “TRUE” for the reason that weak model has been put in. These are customers who might have been impacted, so the following step is to confirm that they’ve the proper e-mail addresses. Inner customers ought to have the proper e-mail area and publicly signed-up customers ought to have their usernames an identical to their e-mail handle.

A password reset ought to then be pressured for all doubtlessly affected customers, which entails a affirmation e-mail being despatched, so it is crucial their e-mail addresses are appropriate. The JIRA API can be utilized to drive password resets, together with expiring any energetic classes and logging out any potential attackers.

“Whether it is decided that your Jira Service Administration Server/DC occasion has been compromised, our recommendation is to instantly shut down and disconnect the server from the community/web,” the corporate mentioned in a FAQ document accompanying the advisory. “Additionally, it’s possible you’ll wish to instantly shut down some other programs which doubtlessly share a person base or have frequent username/password mixtures with the compromised system. Earlier than doing the rest you will have to work along with your native safety workforce to establish the scope of the breach and your restoration choices.”

Copyright © 2023 IDG Communications, Inc.