Alert Logic® is actively researching an unauthenticated remote code execution (RCE) vulnerability in Atlassian Jira (CVE-2019-11581). This threat allows for RCE on a victim host, allowing an attacker to gain complete control over the victim, which may include installation of persistence. Exploit code has been released into the public domain, and Alert Logic has observed active attacks against our customers using this vulnerability.
Any customers with Jira exposed to the public internet and running the specified versions of Jira Server and Data Center listed in the Recommendations for Mitigation section below are affected by this vulnerability. Atlassian recommends immediately upgrading to a non-vulnerable version of Jira Server and Jira Data Center. Jira Cloud customers are not affected.
According to Atlassian, CVE-2019-11581 is a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable, at least one of the following conditions must be met:
- an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
- an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.
In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic can identify the execution of this vulnerability with an existing telemetry signature; however, we are currently developing a specific signature to enable for more efficient monitoring by the Alert Logic Security Operations Center.
Web Application: Existing Alert Logic web application coverage will detect attacks targeted at exploiting CVE-2019-11581. If the Alert Logic inline web application firewall is in Protect mode, it will also block these attacks.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Atlassian recommends that you immediately upgrade to the latest version. If you are unable to upgrade Jira immediately, a temporary workaround is available. For more information on affected versions, upgrading, and the temporary workaround, refer to JIRA Security Advisory 2019-07-10.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
07/16/2019: Vulnerability scan coverage is now available to identify vulnerable assets.