Patch your Jira Service Management Server and Data Center and check for compromise! (CVE-2023-22501)
Australian software maker Atlassian has released patches for CVE-2023-22501, a critical authentication vulnerability in Jira Service Management Server and Data Center, and is urging users to upgrade quickly.
“Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround,” they advised.
About CVE-2023-22501
Jira Service Management Server and Data Center are enterprise solutions for IT service management, connecting and allowing collaboration between development, IT operations, and business teams.
CVE-2023-22501 is a vulnerability that breaks the authentication on local vulnerable instances and allows attackers to impersonate another user and gain access to the instance under certain circumstances.
“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: if the attacker is included on Jira issues or requests with these users, or f the attacker is forwarded or otherwise gains access to emails containing a ‘View Request’ link from these users,” Atlassian explained.
“Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”
No mitigations, fix advised, look for possibly affected accounts
Jira Service Management Server and Data Center versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0 are affected, and customers are advised install a fixed version: 5.3.3, 5.4.2, 5.5.1, 5.6.0 or later. The company urges customers to upgrade even if their instance isn’t exposed to the internet, and even if they are using an external user directory with SSO enabled to interact with the instance.
There is no project permission scheme or project setting that can mitigate this vulnerability, they added.
Atlassian did not say how they came to know about the existence of CVE-2023-22501, and noted that they have no insight into whether it was exploited on a customers’ instance for unauthorized access. Also, that no notification or email is sent if an attacker changes a user’s password. So, after upgrading the instance customers should list possibly affected accounts, i.e., accounts that had a password changed and have been logged into since the vulnerable version was installed.
For those accounts, they should:
- Verify that the email addresses associated with the accounts have not been changed
- Force a password change for all potentially compromised users
- Navigate to a user’s public profile and look into the activity stream to verify recent interactions with Jira tickets
“If it is determined that your Jira Service Management Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system. Before doing anything else you will need to work with your local security team to identify the scope of the breach and your recovery options,” they concluded.