Essential vulnerability patched in Jira Service Administration Server and Information Heart

A vital vulnerability was fastened this week in Jira Service Administration Server, a well-liked IT providers administration platform for enterprises, that would enable attackers to impersonate customers and acquire entry to entry tokens. If the system is configured to permit public sign-up, exterior prospects may be affected as nicely.

The bug was launched in Jira Service Administration Server and Information Heart 5.3.0, so variations 5.3.0 to five.3.1 and 5.4.0 to five.5.0 are affected. Atlassian has launched fastened variations of the software program however has additionally supplied a workaround that entails updating a single JAR file in impacted deployments. Atlassian Cloud situations are usually not weak.

Damaged Jira authentication

Atlassian describes the vulnerability, tracked as CVE-2023-22501, as a damaged authentication concern and charges it as vital severity in keeping with its personal severity scale.

“With write entry to a Consumer Listing and outgoing e-mail enabled on a Jira Service Administration occasion, an attacker might acquire entry to signup tokens despatched to customers with accounts which have by no means been logged into,” the corporate defined in its advisory. “Entry to those tokens may be obtained in two instances: If the attacker is included on Jira points or requests with these customers, or if the attacker is forwarded or in any other case good points entry to emails containing a ‘View Request’ hyperlink from these customers.”

Bot accounts that have been created to work with Jira Service Administration are notably vulnerable to this situation, the corporate warned. Even when the flaw does not influence customers synced by way of read-only Consumer Directories or SSO, customers who work together with the occasion by way of e-mail are nonetheless affected even when SSO is enabled.

Jira Service Administration can be utilized to arrange and handle a service middle that unifies assist desks throughout totally different departments, corresponding to IT, HR, Finance, or Buyer Service, permitting groups to raised work on shared duties collectively. It additionally permits firms to handle asset, carry out inventories, observe possession and lifecycle, IT groups can handle infrastructure configuration and observe service dependencies, and might construct data bases for self-service. Given the numerous options that the platform helps and the duties it may be used for in a company surroundings, the chance of numerous staff, contractors and prospects having accounts on it are excessive and so is the opportunity of abuse.

Jira Service Administration vulnerability mitigation

The corporate stresses that firms who do not expose Jira Service Administration publicly ought to nonetheless replace to a set model as quickly as potential. If they cannot improve the entire system, they need to obtain the fastened servicedesk-variable-substitution-plugin JAR for his or her explicit model, cease Jira, copy the file within the <Jira_Home>/plugins/installed-plugins listing after which begin Jira once more.

As soon as the fastened JAR or the repair model has been put in, firms can search the database for customers with the com.jsm.usertokendeletetask.accomplished property set to “TRUE” because the weak model has been put in. These are customers who might have been impacted, so the subsequent step is to confirm that they’ve the proper e-mail addresses. Inside customers ought to have the proper e-mail area and publicly signed-up customers ought to have their usernames equivalent to their e-mail tackle.

A password reset ought to then be pressured for all probably affected customers, which entails a affirmation e-mail being despatched, so it is crucial their e-mail addresses are appropriate. The JIRA API can be utilized to pressure password resets, together with expiring any lively periods and logging out any potential attackers.

“Whether it is decided that your Jira Service Administration Server/DC occasion has been compromised, our recommendation is to right away shut down and disconnect the server from the community/web,” the corporate stated in a FAQ document accompanying the advisory. “Additionally, chances are you’ll need to instantly shut down some other programs which probably share a consumer base or have frequent username/password mixtures with the compromised system. Earlier than doing anything you have to to work together with your native safety group to determine the scope of the breach and your restoration choices.”