Atlassian close critical remote code execution error in Jira Server

Atlassian released a patch for a critical vulnerability in Jira Server. Via the vulnerability CVE-2019-11581 an attacker can remotely execute code on systems running vulnerable versions of Jira Server or Data Center.

The vulnerability arose in version 4.4.0 of Jira Server and Jira Data Center, which appeared in 2011, writes The Daily Swig. Atlassian advises users to install the released patch.

Whether the injection vulnerability can be exploited depends in part on the configuration of the system. If an SMTP server is configured in Jira and the Contact Administrators Form is enabled, an attacker can exploit the problem without requiring authentication.

The error can also be misused in cases where an SMTP server is configured in Jira and an attacker has administrator access. In both cases, an attacker can place malicious code on systems.

Temporary solution

If a user is not able to upgrade Jira directly, there is also a temporary solution. In that case the Contact Administrators Form must be disabled, and access to the /secure/admin/SendBulkMail! default.jspa-endpoint must be blocked.

However, this means that it is no longer possible for Jira Administrators to send bulk e-mails to users. After the patch is installed, the endpoint can be turned on again.

The Jira software is Atlassian’s main product. This makes it possible to track software development. Atlassian stresses that users of Jira Cloud are not affected by the error. Only users of Jira Software, Jira Core and Jira Service Desk are affected.

Expansion of Jira Software

Atlassian acquired AgileCraft in March this year to expand its Jira products. AgileCraft creates a product that allows companies to map and track projects. The AgileCraft software is designed to work with the Jira tools. The two companies therefore share customers who use both tools.

With the acquisition, Atlassian is shifting its focus from selling software development tools to a wider range of enterprise software.