Blog
Jira Security Vulnerability CVE-2019-11581

Jira Security Vulnerability CVE-2019-11581

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

On 10 July 2019, Atlassian released a security advisory for a critical severity vulnerability in most versions of Jira Server and Jira Data Center. The vulnerability was introduced in version 4.4.0, released in 2011, and affects versions as recent as 8.2.2, released on 13 June 2019.

The good news is that users of Jira Cloud are not affected. But how many organizations are running Jira Server or Jira Data Center, and are vulnerable to this attack?

Tens of Thousands of Potentially Affected Servers

Using data from Shodan.io, we identified approximately 50,000 potential instances of Jira. Of those, our further research confirmed just over 30,000 to be reachable Jira instances with version numbers. And of those, only 63 had versions that were safe from CVE-2019-11581.

So as of the day after the advisory, the vast majority of internet accessible Jira Server instances had vulnerable versions. It would be nice to show a chart comparing patched and unpatched versions, but there are so few secure instances they are not visible to the human eye. Instead, here is a chart of the ten most common versions of Jira Server in the population we surveyed, none of which are in the list of fixed Jira Server versions.

Ten most common Jira Server versions. None of these are patched against CVE-2019-11581
Ten most common Jira Server versions. None of these are patched against CVE-2019-11581

We exported this data soon after the advisory was released. Since then administrators have continued to take steps to remediate their vulnerabilities, and there should be fewer vulnerable instances every day. An initial assessment of the prevalence of this risk, however, shows tens of thousands of instances potentially are potentially vulnerable, and that patching has been far from universal.

Because the vulnerability exploits the "Contact Administrators Form" for template injection, Atlassian also released guidance on a work around to disable this form. Some of the servers that have not been upgraded have been secured using this work around. However, in manually checking sites that appeared to have vulnerable versions, they generally had not been patched since our initial data collection and had not implemented evidence of compensating controls. The only website where the version had changed since our initial data collection was one belonging to NASA. Good job NASA! But in the vast majority of cases there was no evidence the owners had upgraded to a secure version.

Jira version from a nasa.gov site showing an up-to-date and secure instance
Jira version from a nasa.gov site showing an up-to-date and secure instance

Additionally, users could disable the "Contact Administrators Form." Again, in manually checking random sites, only one was seen that had a notice that this had been disabled.

Enterprise JIRA temporary disabled banner
JIRA notification

The geographic distribution of servers with vulnerable versions is similar to the distribution of computing systems worldwide. Most are in the US, but vulnerable servers were detected in 134 different countries. Essentially every nation with a digital economy likely has Jira servers that could be affected by this vulnerability.

The hostnames for Jira Servers can provide insight into the types of organizations affected. Of the servers with vulnerable versions, 69 included .gov in the URL. Those servers were hosted in 16 different countries, creating potential risk for many government functions.

 

Number of Jira Servers in each country with .gov addresses and unpatched version
Number of Jira Servers in each country with .gov addresses and unpatched version

However many vulnerable servers there are today, there should be fewer tomorrow and fewer the day after that. That said, there are still a lot of potentially vulnerable Jira servers, and protecting against data loss due to this vulnerability requires knowing both whether your organization has a vulnerable instance and whether your vendors are running unpatched Jira servers.

Contact us if you'd like to check your Jira Server or Jira Data Center editions for this vulnerability.

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape