Atlassian customers told to patch critical Jira vulnerability

Atlassian urges customers to update affected installations immediately

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Atlassianhas disclosed a critical vulnerability in some of its products that could be exploited to enable remote attackers to execute arbitrary code in some Jira Data Center products.

The vulnerability tracked as CVE-2020-36239 exists in Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center products.

The vulnerability is the result of a missing authentication flaw in Jira’s implementation of Ehcache, which is a widely usedopen sourcecache that’s used byJavaapplications to enhance performance and scalability.

Last month,cybersecurityresearchers from Check Point Researchfound security flawsin Atlassian’scollaboration softwareanddeveloper tools, which could potentially be exploited to launch aSolarWinds-likesupply-chain attack.

Critical flaw

Critical flaw

Exploiting the newly patched flaw in the Jira Data Center products, remote attackers could connect to Ehcache’s RMI (remote method invocation) ports without being asked for any authentication information, giving them the opportunity to execute arbitrary code of their choice in Jira via object deserialization.

In an email announcement seen byBleepingComputer, Atlassian is urging its enterprise customers to upgrade to the patched versions of these products without delay.

Atlassian has alsopublished workaroundsfor customers who can’t immediately update the affected instances, which basically involves restricting access to the Ehcache RMI ports on the affected products to only cluster instances.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

Top 3 things you have to try with the new ChatGPT search