This week, a major security vulnerability was fixed in Jira Service Management Server, a popular IT services management platform for enterprises. This vulnerability could have allowed attackers to impersonate users and gain access to access tokens. If the system was configured to allow public sign-up, external customers could have been affected as well. The bug was present in versions 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0 of Jira Service Management Server and Data Center. Atlassian has released fixed versions of the software, as well as a workaround that involves updating a single JAR file in impacted deployments. The vulnerability, tracked as CVE-2023-22501, is classified as a broken authentication issue and is rated as critical severity according to Atlassian's severity scale. If an attacker has write access to a User Directory and outgoing email is enabled on a Jira Service Management instance, they can gain access to signup tokens sent to users with accounts that have never been logged into. These tokens can be obtained if the attacker is included on Jira issues or requests with these users, or if the attacker is forwarded or otherwise gains access to emails containing a View Request link from these users. Bot accounts that were created to work with Jira Service Management are particularly vulnerable to this scenario. Even if the flaw does not affect users synced via read-only User Directories or SSO, users who interact with the instance via email are still affected even when SSO is enabled. Atlassian recommends that companies who do not expose Jira Service Management publicly should still update to a fixed version as soon as possible. If they cannot upgrade the whole system, they should download the fixed servicedesk-variable-substitution-plugin JAR for their particular version, stop Jira, copy the file in the
/plugins/installed-plugins directory and then start Jira again. If it is determined that a Jira Service Management Server/DC instance has been compromised, it is advised to immediately shut down and disconnect the server from the network/internet. Additionally, any other systems which potentially share a user base or have common username/password combinations with the compromised system should be shut down.
This week, a critical security vulnerability was fixed in Jira Service Management Server, a popular IT services management platform for enterprises. This bug could have allowed attackers to impersonate users and gain access to access tokens, potentially affecting external customers if the system was configured to allow public sign-up. Versions 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0 of Jira Service Management Server and Data Center were affected. Atlassian has released fixed versions of the software, as well as a workaround that involves updating a single JAR file in impacted deployments. The vulnerability, tracked as CVE-2023-22501, is classified as a broken authentication issue and is rated as critical severity according to Atlassian's severity scale. If an attacker has write access to a User Directory and outgoing email is enabled on a Jira Service Management instance, they can gain access to signup tokens sent to users with accounts that have never been logged into. These tokens can be obtained if the attacker is included on Jira issues or requests with these users, or if the attacker is forwarded or otherwise gains access to emails containing a View Request link from these users. Bot accounts that were created to work with Jira Service Management are particularly vulnerable to this scenario. Even if the flaw does not affect users synced via read-only User Directories or SSO, users who interact with the instance via email are still affected even when SSO is enabled. Atlassian recommends that companies who do not expose Jira Service Management publicly should still update to a fixed version as soon as possible. If they cannot upgrade the whole system, they should download the fixed servicedesk-variable-substitution-plugin JAR for their particular version, stop Jira, copy the file in the /plugins/installed-plugins directory and then start Jira again. If it is determined that a Jira Service Management Server/DC instance has been compromised, it is advised to immediately shut down and disconnect the server from the network/internet, as well as any other systems which potentially share a user base or have common username/password combinations with the compromised system. Companies should also search the database for users with the com. Usertokendeletetask.completed property set to TRUE since the vulnerable version has been installed, verify that they have the correct email addresses, and force a password reset for all potentially affected users.
This Cyber News was published on www.csoonline.com. Publication date: Fri, 03 Feb 2023 21:22:02 +0000