Security News > 2021 > July > Critical Jira Flaw in Atlassian Could Lead to RCE
Atlassian has dropped a patch for a critical vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products, which can lead to arbitrary code execution.
Atlassian is a platform that's used by 180,000 customers to engineer software and manage projects, and Jira is its proprietary bug-tracking and agile project-management tool.
Atlassian "Strongly suggests" restricting access to the Ehcache ports to only Data Center instances, but noted that there's a caveat: "Fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service," according to the advisory.
Atlassian's advisory said that customers who have downloaded and installed any affected versions "Must upgrade their installations immediately to fix this vulnerability." Having said that, Atlassian also noted that the "Critical" rating is its own assessment and that customers "Should evaluate its applicability to your own IT environment."
Customers who have upgraded Jira Data Center, Jira Core Data Center, Jira Software Data Center to versions 8.5.16, 8.13.8, 8.17.0 and/or Jira Service Management Data Center to versions 4.5.16, 4.13.8 or 4.17.0 are off the hook: They don't need to upgrade.
"This could lead to targeted campaigns that focus on developers that then seek to drop malware that exploits the Atlassian vulnerabilities for further manipulation of product development," he said.
News URL
https://threatpost.com/atlassian-critical-jira-flaw/168053/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)