I. Overview

Atlassian disclosed the remote code execution vulnerability (CVE-2020-36239) in its multiple products, such as Jira Data Center and Jira Service Management Data Center. These products open the Ehcache RMI network service on default ports such as 40001. Because of the lack of identity authentication, attackers can implement arbitrary code execution in Jira through deserialization.

Jira is a defect tracking management system used for defect management, task tracking, and project management. If you are a Jira user, check your Jira version and implement timely security hardening.

Reference: Jira Data Center And Jira Service Management Data Center Security Advisory 2021-07-21

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Jira Data Center, Jira Core Data Center, Jira Software Data Center- ranges

6.3.0 <= version < 8.5.16

8.6.0 <= version < 8.13.8

8.14.0 <= version < 8.17.0

Jira Service Management Data Center – ranges

2.0.2 <= version < 4.5.16

4.6.0 <= version < 4.13.8

4.14.0 <= version < 4.17.0

Secure versions:

Jira Data Center, Jira Core Data Center, Jira Software Data Center

Version 8.5.16 for 8.5.x LTS

Version 8.13.8 for 8.13.x LTS

Version 8.17.0

Jira Service Management Data Center

Version 4.5.16 for 4.5.x LTS

Version 4.13.8 for 4.13.x LTS

Version 4.17.0

IV. Security Recommendations

1. This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

2. If the upgrade cannot be performed in a timely manner, you can use the firewall or similar technologies to restrict the access to the Ehcache RMI service port based on the suggestions provided by Atlassian.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.