Atlassian Jira Data Center’s Critical Vulnerability – What you need to know

Posted on 07.21.2021
-
Written by Brody Larson
-

Atlassian has announced a critical severity security vulnerability on certain versions of the Data Center platform for Jira, Jira Core, Jira Software and Jira Service Management. Oxalis has performed additional analysis on this vulnerability announcement and is confident that our current customers are protected by our security practices. This security vulnerability only affects Atlassian’s Data Center products. Atlassian Server and Atlassian Cloud products are not affected, and if you are on either deployment, you are not impacted by this vulnerability.

Specifically, the CVE (Common Vulnerabilities and Exposures) ID for this vulnerability is: CVE-2020-36239 (Missing Authentication for Ehcache RMI).

As explained by Atlassian, the affected versions of Jira, Jira Core, Jira Software and Jira Service Management.

“exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011, could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability”

Atlassian has created two issues in their system for tracking, where updates will be published:

This vulnerability specifically affects the following versions of Jira, Jira Core and Jira Software Data Center:

  • 6.3.0 to 8.5.16
  • 8.6.0 to < 8.13.8
  • 8.14.0 to < 8.17.0

Additionally, this vulnerability specifically affects the following version of Jira Service Management:

  • 2.0.2 to 4.5.16
  • 4.6.0 to 4.13.8
  • 4.14.0 to 4.17.0

If you are unsure of the best way to confirm the version of Jira Data Center you are on, or have any other concerns, get support here!

You may not be vulnerable

According to Oxalis’ evaluation in addition to Atlassian’s announcement, this vulnerability will only impact specific Jira deployments. If any of the following deployment options match your usage of Atlassian’s Jira products, you are NOT affected by this security vulnerability, and do not need to take any further action:

  • Server – Even though Atlassian’s two hosted / on-premise deployments have a lot of similarities, Server deployments of Jira, Jira Core, Jira Software and Jira Service Management are not affected by this vulnerability, and do not need to be updated. 
  • Cloud – Atlassian Cloud is not affected by this vulnerability, and all Atlassian Cloud customers can rest assured that their site is not at risk. 
  • Single-node Data Center Deployments – If your Data Center infrastructure only contains a single node, you are not affected by this vulnerability, as the security threat is specifically for clustered instances.
  • Non-Jira Data Center Products – All Data Center deployments of Confluence, Bitbucket and Crowd are not affected by this security vulnerability, and do not require any updates.
  • Up-to-date Jira Data Center deployments – For Jira, Jira Core and Jira Software, all deployments version 8.17.0 and higher contain a fix for this issue. For Jira Service Management, all deployments version 4.17.0 and higher contain a fix for this issue.

What you should do

Even if you’re not vulnerable, take the opportunity to review your security and maintenance procedures and controls. While rare, being prepared and having strong defences to these types of vulnerabilities is easier to put in place before they become critical.

You have layers of protection to prevent exploitation

In order to exploit the issue, an attacker would need to have network access to the particular ports in DC deployments. Oxalis’ clustered cloud deployments, while already avoiding the issue by being up to date, have multiple layers of protection following zero-trust principles to ensure these types of issues cannot be exploited.

Here are some of the ways that our deployments are protected against these types of threats:

  • System and network firewall rules restricting communication to exclusively cluster instances.
  • Isolated application infrastructure to prevent any platform to launch an attack.
  • Serverless hosting and isolated instances so any remote code execution does not have any additional access, reducing or eliminating the blast radius and any further privilege escalation.
  • Active monitoring of network traffic and IDS systems for early detection.

What you should do

Upgrade your system as soon as possible. Also review your maintenance processes to chart a path to staying up to date.

What to do if you believe you’re at risk

Upgrade to the latest release

The current releases of Atlassian’s Jira DC products have added security patches to address this issue – as long as you have a release from the past 2 months, you are protected. Staying up to date should be the baseline for security practices. 

  • How to check current version
    • To find the version of Jira Data Center that you are on, click on the Administration cog and go to Applications. Here you can view the current version of your Jira applications. 
      • Note: You will need to be a Jira Administrator to access Jira’s Administration menu.
    • Need help finding your current version of Jira Data Center? Get help immediately for assistance.
  • If you’re ready to upgrade, follow Atlassian’s upgrade process. New versions for the affected applications can be downloaded at:
  • Make a plan to stay up to date
    • At Oxalis, we hold regular maintenance windows for all deployments and applications. We continuously monitor, review, and upgrade to new releases for applications like Jira to ensure our client’s systems are up to date.

Not Ready to upgrade, or can’t upgrade quickly?

There are various reasons why you may not be able to quickly upgrade to version 8.17.0 (4.17.0 for Jira Service Management) of Jira Data Center such as:

  • Outdated DB – There are many older platforms that Jira no longer supports, which would block a potential upgrade to the latest version. Check out the list of Atlassian support platforms for the latest versions here.
  • Marketplace App compatibility – There are thousands of third party applications in the Atlassian ecosystem, and many systems have at least several downloaded on their system. These Apps usually lag behind the latest Jira versions for compatibility if major changes are made, and need to be reviewed before performing the upgrade. 
  • Change Management overhead – Many organizations have a robust change management process in place which may cause a delay in a system upgrade. While we do recommend having a robust change management process in place, there must be bypasses specifically for situations such as this security vulnerability. 

If you are unable to upgrade for any reason, and this vulnerability does apply to your version of Jira Data Center… 

  • Remember, single node infrastructures are not affected, and while you should still plan to upgrade soon, it is not critical to complete right away.
  • Do you need a cluster? Migrate to a single, huge VM to avoid this specific vulnerability without having to make any upgrades. 
  • Review and hand-tune your firewall rules based on Atlassian’s recommendations below.

Atlassian’s provided Mitigation plan for customers who are unable to upgrade to a fixed version immediately focuses on restricting port access. 

Restrict access to the Ehcache RMI ports to Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center cluster instances via the use of firewalls or similar technologies.”

Specifically, the ports that need to be restricted are:

  • port 40001
  • port 40011
  • ports in the range 1024-65536
    • For Jira version 7.3.1 and above you can apply the workaround detailed here to avoid needing to restrict access to these ports
    • For Jira Service Management version 3.3.1 and above you can apply the workaround detailed here to avoid needing to restrict access to these ports

How to avoid future risks

Migrate to Atlassian Cloud

At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.

  • Not a Lift-and-Shift – Migrating from Server/Data Center to Atlassian Cloud is not simply a lift-and-shift effort. There are many differences between the on-premise and cloud versions of Atlassian’s applications, along with differences in the Marketplace Apps. A short discovery effort is recommended to plan and map your migration effort to ensure success. You can learn more about our migration approach here.
  • Compliance – It’s possible Atlassian Cloud may not meet your compliance needs. Currently, Atlassian Cloud does NOT meet the following compliance standards:
    • HIPAA
    • FedRAMP Moderate
    • NIST 800.53
    • Review Atlassian’s cloud roadmap to see when they plan on meeting these compliance standards.
  • Trust – Atlassian’s team is dedicated to keeping the trust of their customers, and has you covered. Review information about security, reliability, privacy, and compliance for their products and services here.

Stay Up To Date

Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date.

Build Security at Depth

While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.

We’re here to help

If you need help understanding if you’re at risk, hardening your existing infrastructure, are looking for ongoing maintenance help or want to move to a more compliant infrastructure, our award winning team is here to help. As a group of technology consultants and product leaders that operate in various high-compliant industries, Oxalis has a strong focus on security. We don’t just care when vulnerabilities occur, it’s a key piece of how we operate as a firm.  

Contact us

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: