Atlassian's Jira Services are vulnerable to attackers executing arbitrary remote code. The bug stemmed from unrestricted access to Ehcache RMI ports...
Atlassian encourages its enterprise customers to update their Data Center and Jira Management Services products to patch a critical Jira vulnerability. The vulnerability pursued as CVE-2020-36239 can give remote attackers the potential to execute arbitrary code due to a misplaced authorization bug in Jira's implementation of an open-source component - Ehcache.
Atlassian revealed the vulnerability yesterday that enables unauthorized attackers to implement arbitrary code in their Jira Data Center products. The company notified all customers through mail and urged them to upgrade their versions of Jira services a soon as possible.
Ehcache is a vastly used open-source cache predominantly used by Java applications for boosting performance, scalability, and stability. The bug originated because of unrestricted access to Ehcache to RMI ports. RMI enables programmers to invoke methods present inside remote objects - like those present inside an application running on a shared network. RMI stands for remote method invocation, similar to remote procedure calls (RPC) in object-oriented programming languages.
Multiple Jira products like Jira Data Center, Jira Software Data Center, and Jira Service Management center expose an Ehcache RMI network on different ports: 4000 and 4001. Remote threat actors can connect to these ports without any authentication to execute arbitrary code in Jira through a process called object deserialization.
According to reports, the vulnerability does not affect non-Data Center services of the Jira Server. The company encouraged all its enterprise users to upgrade Jira Datacenter and Jira Service Management Center to version number 8.5.16 and 4.5.16, respectively. Atlassian also issued a security advisory mentioning several workarounds to upgrade Jira services and restrict access to RMI ports.
The security advisory read, "From now, the fixed version of Jira will require a shared secret to access Ehcache service."