On October 17th 2023, Atlassian released a security advisory for Jira Service Management Data Center and Jira Service Management Server, regarding CVE-2019-13990. Oxalis is sharing this information as part of our commitment to the security of Atlassian users both for our customers and the greater community.
This is a HIGH severity issue with a critical CVSS score of 9.8 – if you believe you are impacted, you should take immediate remediation. For the vulnerability to be exploited, an attacker must be logged in – as a result Atlassian has only assessed at at a 8.4 severity.
Oxalis recommends organizations running impacted versions to take immediate remediation steps.
Please Note: JIRA Cloud customers are NOT affected by this vulnerability.
Summary of this issue
CVE-2019-13990 impacted specific editions of Jira Service Management Server & Data Center. These affected versions included exploitable iterations of Terracotta Quartz Scheduler, permitting authenticated attackers to launch XML External Entity injection attacks by manipulating job descriptions.
Although the NVD classifies the severity of this vulnerability as critical at 9.4, Atlassian assesses it as HIGH (8.4 with the following vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) based on our internal evaluation.
XML External Entity (XXE) injection attacks allow attackers access to file systems, backend systems and any resource that the application itself can access. This can give an attacker full control of the infrastructure hosting your Jira Service Management instance if mitigation or remediation steps are not taken.
It is important to note that Jira Software, Jira Core and all Cloud editions are not impacted by this vulnerability.
Which Jira Service Management Versions are affected?
The XXE (XML External Entity Injection) vulnerability impacts Jira Service Management Server and Data Center, affecting all versions from 4.20.0 onwards. Versions that fall outside of the support window may also be at risk. Atlassian suggests upgrading to the fixed LTS version or a later release to mitigate this issue.
What should you do?
Installing a fixed version of Jira Service Management is the surest way to remediate CVE-2019-13990. Once a fixed version has been installed, all apps in your instance are protected against CVE-2019-13990 and no further action is required. Please reach out to Oxalis if you’re affected by this vulnerability and would like assistance.
Fixed Versions
What if I am unable to upgrade to a fixed version?
If you cannot promptly upgrade to a patched version, you can temporarily address this vulnerability by following these instructions to deactivate Assets on your Jira Service Management instance. These actions will result in the deactivation of Assets functionality.
Important to note – if you take this approach, be aware that deactivating Assets does make the entire asset system unavailable for use. Disabling assets also causes a restart of the system which may take up to 20 minutes depending on system size.
How to avoid future risks?
Migrate to Atlassian Cloud
At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.
Stay Up To Date
Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date. For Oxalis customers on the Data Center versions of Atlassian products, we perform regular updates including emergency patching to address vulnerabilities
Build Security at Depth
While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.
We’re here to help
If you require assistance in determining your vulnerability status related to CVE-2019-13990, our award winning team is available to provide support. Oxalis, comprising technology consultants and product leaders operating in highly compliant sectors, prioritizes security as a fundamental aspect of our operations. Our commitment to security goes beyond just reacting to vulnerabilities; it’s an integral part of our firm’s ethos.