Atlassian has announced a critical severity security vulnerability on certain versions of the Data Center platform for Jira Service Management. Oxalis has performed additional analysis on this vulnerability announcement and is confident that our current customers are protected by our security practices. This security vulnerability only affects Atlassian’s Data Center Jira Service Management products. Atlassian Cloud products and Jira Software are not affected, and if you are on either deployment, you are not impacted by this vulnerability.

Specifically, the CVE (Common Vulnerabilities and Exposures) ID for this vulnerability is: CVE-2018-10054 (Remote Code Execution through Insight – Asset Management).

As explained by Atlassian, in the affected versions of Jira Service Management:

“Insight – Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.”

Atlassian has created the following issue in their system for tracking, where updates will be published:

• JSDSERVER-8716 – Jira Service Management / Insight Asset Management vulnerable to RCE Security

This vulnerability specifically affects the following versions of Jira Service Management Data Center:

• All 4.15.x versions
• All 4.16.x versions
• All 4.17.x versions
• All 4.18.x versions
• All 4.19.x versions

Additionally, this vulnerability covers the following versions of Insight – Asset Management when acquired from the Atlassian Marketplace:

• All 5.x versions
• All 6.x versions
• All 7.x versions
• All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions
• All 8.9.x versions before 8.9.3

If you are unsure of the best way to confirm the version of Jira Service Management or Insight Asset Management you are on, or have any other concerns, get support here!

You may not be vulnerable

According to Oxalis’ evaluation in addition to Atlassian’s announcement, exploitation of this vulnerability requires a user account with a high level of permissions. Specifically:

• The user must be an authenticated Jira user AND
• The user must have the user or group permission to “Insight administrator” OR “Object Schema Manager” within Insight – Asset Management

What you should do

Even if you’re not vulnerable, take the opportunity to review your security and maintenance procedures and controls. While rare, being prepared and having strong defenses to these types of vulnerabilities is easier to put in place before they become critical.

It is also a good opportunity to audit user permissions and ensure that users haven’t been granted unnecessary extra permissions

You have layers of protection to prevent exploitation

In order to exploit the issue, an attacker would need to have a valid, highly privileged user account.

Here are some of the ways that our deployments are protected against these types of threats:

• Multi-factor user authentication to prevent account hijacking
• Behavior-based authentication monitoring to detect unusual account activity
• Serverless hosting and isolated instances so any remote code execution does not have any additional access, reducing or eliminating the blast radius and any further privilege escalation.
• Active monitoring of network traffic and IDS systems for early detection.

What you should do

Upgrade your system as soon as possible. Also review your maintenance processes to chart a path to staying up to date.

What to do if you believe you’re at risk

Upgrade to the latest release

The latest release of Jira Service Management (JSM) Data Center and the Marketplace version of Insight Asset Management have fixes to resolve this vulnerability. Staying up to date should be the baseline for security practices. 

• How to check current version
  • To find the version of Jira Data Center that you are on, click on the Administration cog and go to Applications. Here you can view the current version of your Jira applications. 
    • Note: You will need to be a Jira Administrator to access Jira’s Administration menu.
  • Need help finding your current version of Jira Data Center? Get help immediately for assistance.
• If you’re ready to upgrade, follow Atlassian’s upgrade process. New versions for the affected applications can be downloaded at:
  • Jira Service Management Data Center: https://www.atlassian.com/software/jira/service-management/update 
• Make a plan to stay up to date
  • At Oxalis, we hold regular maintenance windows for all deployments and applications. We continuously monitor, review, and upgrade to new releases for applications like Jira to ensure our client’s systems are up to date.

Not Ready to upgrade, or can’t upgrade quickly?

There are various reasons why you may not be able to quickly upgrade to version 4.20.0 of Jira Service Management Data Center, such as:

• Outdated DB – There are many older platforms that Jira no longer supports, which would block a potential upgrade to the latest version. Check out the list of Atlassian support platforms for the latest versions here.
• Marketplace App compatibility – There are thousands of third party applications in the Atlassian ecosystem, and many systems have at least several downloaded on their system. These Apps usually lag behind the latest Jira versions for compatibility if major changes are made, and need to be reviewed before performing the upgrade. 
• Change Management overhead – Many organizations have a robust change management process in place which may cause a delay in a system upgrade. While we do recommend having a robust change management process in place, there must be bypasses specifically for situations such as this security vulnerability. 

If you are unable to upgrade for any reason, and this vulnerability does apply to your version of Jira Service Management: 

• Make sure that the user permissions required to exploit the vulnerability are limited
• Remove the H2 database in your Jira Service Management installation based on Atlassian’s recommendations below.

To remove the H2 JAR file:

• Shut down Jira
• Go to <Jira-Installation-Directory>/atlassian-jira/WEB-INF/lib/
• Locate the h2-1.4.XYZ.jar file and delete it (where “XYZ” is a placeholder for the version of the file, e.g. h2-1.4.200.jar)
• Start Jira again

In a Data Center environment, a rolling restart of the nodes is sufficient after deleting the JAR. If you are running Jira Service Management in a containerized environment, removing the H2.jar requires a different process. Contact Us for assistance.

How to avoid future risks

Migrate to Atlassian Cloud

At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.

• Not a Lift-and-Shift – Migrating from Server/Data Center to Atlassian Cloud is not simply a lift-and-shift effort. There are many differences between the on-premise and cloud versions of Atlassian’s applications, along with differences in the Marketplace Apps. A short discovery effort is recommended to plan and map your migration effort to ensure success. You can learn more about our migration approach here.
• Compliance – It’s possible Atlassian Cloud may not meet your compliance needs. Currently, Atlassian Cloud does NOT meet the following compliance standards:
  • HIPAA
  • FedRAMP Moderate
  • NIST 800.53
  • Review Atlassian’s cloud roadmap to see when they plan on meeting these compliance standards.
• Trust – Atlassian’s team is dedicated to keeping the trust of their customers, and has you covered. Review information about security, reliability, privacy, and compliance for their products and services here.

Stay Up To Date

Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date.

Build Security at Depth

While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.

We’re here to help

If you need help understanding if you’re at risk, hardening your existing infrastructure, are looking for ongoing maintenance help, or want to move to a more compliant infrastructure, our award winning team is here to help. As a group of technology consultants and product leaders that operate in various high-compliant industries, Oxalis has a strong focus on security. We don’t just care when vulnerabilities occur, it’s a key piece of how we operate as a firm.  

Recommended blog posts

• DevSecOps Security Best practices
• 5 “Do-Now” Business Cybersecurity Changes

Contact us