Security News > 2021 > July > Critical Jira Flaw in Atlassian Could Lead to RCE

Atlassian has dropped a patch for a critical vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products, which can lead to arbitrary code execution.
Atlassian is a platform that's used by 180,000 customers to engineer software and manage projects, and Jira is its proprietary bug-tracking and agile project-management tool.
Atlassian "Strongly suggests" restricting access to the Ehcache ports to only Data Center instances, but noted that there's a caveat: "Fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service," according to the advisory.
Atlassian's advisory said that customers who have downloaded and installed any affected versions "Must upgrade their installations immediately to fix this vulnerability." Having said that, Atlassian also noted that the "Critical" rating is its own assessment and that customers "Should evaluate its applicability to your own IT environment."
Customers who have upgraded Jira Data Center, Jira Core Data Center, Jira Software Data Center to versions 8.5.16, 8.13.8, 8.17.0 and/or Jira Service Management Data Center to versions 4.5.16, 4.13.8 or 4.17.0 are off the hook: They don't need to upgrade.
"This could lead to targeted campaigns that focus on developers that then seek to drop malware that exploits the Atlassian vulnerabilities for further manipulation of product development," he said.
News URL
https://threatpost.com/atlassian-critical-jira-flaw/168053/
Related news
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)