A critical vulnerability in Atlassian’s Jira Service Management Server and Data Center could allow an unauthenticated attacker to impersonate other users and gain remote access to the systems.
Atlassian explains that the security issue affects versions 5.3.0 through 5.5.0 and that hackers can get “access to a Jira Service Management instance under certain circumstances.”
Tracked as CVE-2023-22501, the vulnerability has a critical severity score of 9.4, as calculated by Atlassian. It could be used to target bot accounts in particular, due to their frequent interactions with other users and their increased likelihood to be included in Jira issues or requests or receiving emails with a “View Request” link – either condition being necessary for acquiring signup tokens.
Atlassian has released updates that address the issue and advises admins to upgrade to versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0 or later.
If the update cannot be installed immediately, the vendor has provided for a workaround in the form of a JAR file that can be used to manually upgrade the “servicedesk-variable-substitution-plugin,” as described in the steps below:
- Download the version-specific JAR from the advisory
- Stop Jira
- Copy the JAR file into the Jira home directory (“
/plugins/installed-plugins” for servers or “ for data centers) - Restart the service
Atlassian has also published a FAQ page explaining that the upgrade is recommended even if the instances are not exposed to the public internet or have an external user directory with single sign-on (SSO) enabled.
As a warning, password changes performed by an attacker will not generate an email notification to the account owner, making it more difficult to detect a compromise.
However, after applying the available security update or the JAR file workaround, admins can check which accounts changed their passwords and logged in since installing the previous version, which could reveal unauthorized access to the accounts.
Atlassian recommends that administrators force a password reset on all potentially breached users and ensure that their email addresses are correct.
If a breach has been detected, the recommendation is to immediately shut down and disconnect the compromised server from the network to minimize the extent of the attack.