JIRA Security Advisory 2013-02-21
Description
JIRA versions up to and including 5.1.4 contain critical security vulnerabilities that allow unauthorized file system manipulation. The primary vulnerability (Issue 1) is a path traversal flaw (CWE-22) that enables attackers to overwrite arbitrary files on the server. This advisory addresses these vulnerabilities which were patched in subsequent JIRA releases.
Remediation
Take the following actions immediately to remediate this vulnerability:
1. Upgrade JIRA:
Update to JIRA version 5.1.5 or later, which contains fixes for these vulnerabilities. Follow Atlassian's standard upgrade procedures documented in their upgrade guide.
2. Apply Security Patches (if immediate upgrade is not possible):
Download and apply the security patches provided by Atlassian for your specific JIRA version from the official security advisory.
3. Verify Installation:
After upgrading or patching, verify the JIRA version in the administration console to confirm the update was successful.
4. Review System Integrity:
Examine system logs and file integrity for any signs of exploitation prior to patching. Check for unexpected file modifications or unauthorized access attempts.
5. Network Security:
Until patching is complete, consider restricting network access to JIRA instances using firewall rules or VPN requirements.
Refer to the official Atlassian security advisory for detailed patch installation instructions and additional security guidance.