Atlassian Jira 8.13.x < 8.13.21 / 8.20.x < 8.20.9 / 8.22.x < 8.22.3 / 9.0.0 SQLI (JRASERVER-73885)

critical Nessus Plugin ID 162398

Synopsis

The remote Atlassian Jira host is missing a security update.

Description

The version of Atlassian Jira installed on the remote host is prior to 8.13.x < 8.13.21 / 8.20.x < 8.20.9 / 8.22.x < 8.22.3 / 9.0.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73885 advisory.

- The version of {{log4j}} used by Jira has been updated from version *1.2.7-atlassian-3* to
*1.2.7-atlassian-16* to address the following vulnerabilities:
[CVE-2021-4104|https://www.cve.org/CVERecord?id=CVE-2021-4104] JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Jira configuration can exploit this to execute arbitrary code. Jira is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Jira. Atlassian has [remediated this vulnerability by preventing external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of {{{}log4j{}}}. [CVE-2020-9493|https://www.cve.org/CVERecord?id=CVE-2020-9493] and [CVE-2022-23307|https://www.cve.org/CVERecord?id=CVE-2022-23307] Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Jira, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Jira. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}. [CVE-2022-23302|https://www.cve.org/CVERecord?id=CVE-2022-23302] JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Jira configuration can exploit this to execute arbitrary code. Jira is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Jira. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}. [CVE-2022-23305|https://www.cve.org/CVERecord?id=CVE-2022-23305] JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Jira is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Jira. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}. Affected versions of Jira: * Versions < 8.13.21 * All versions 8.14.x through 8.19.x * Versions 8.21.x * Versions 8.22.x < 8.22.3 Fixed versions of Jira: * Versions 8.13.x >= 8.13.21 * Versions 8.20.x >= 8.20.9 * Versions 8.22.x >= 8.22.3 * Versions >= 9.0.0 (atlassian- JRASERVER-73885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Atlassian Jira version 8.13.21, 8.20.9, 8.22.3, 9.0.0 or later.

See Also

https://jira.atlassian.com/browse/JRASERVER-73885

Plugin Details

Severity: Critical

ID: 162398

File Name: jira_9_0_0_jraserver-73885.nasl

Version: 1.3

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 6/18/2022

Updated: 6/19/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2020-9493

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*

Required KB Items: installed_sw/Atlassian JIRA

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2022

Vulnerability Publication Date: 6/6/2022

Reference Information

CVE: CVE-2020-9493