Atlassian reports to enterprise customers that a serious vulnerability in Jira Data Center and Jira Service Management Data Center has been closed. The vulnerability allowed attackers to execute code.
Atlassian warned customers last week that the vulnerability in Jira Data Center and Jira Service Management Data Center automatically affects Jira Software Data Center and Jira Core Data Center. The company advises customers to upgrade to versions that have had a fix as soon as possible. Atlassian lists on its site which versions are affected and which have received a patch.
The vulnerability concerns CVE-2020-36239 and allows attackers without authorization to execute code remotely. The source of the cause lies in the lack of authentication at Ehcache RMI. Attackers were able to connect via port 40001 and possibly 40011 via this network service. Atlassian recommends as a workaround that users restrict access to Ehcache RMI ports through the firewall to Jira Data Center, Jira Core Data Center, and Jira Software Data Center and Jira Service Management Data Center only, and to cluster instances only.
Jira is used by more than 180,000 customers for bug tracking and project management, according to Atlassian, but it is unclear how many customers there are for Jira Data Center and Jira Service Management Data Center.