On 10 July 2019, Atlassian launched a safety advisory for a crucial severity vulnerability in most variations of Jira Server and Jira Knowledge Middle. The vulnerability was launched in model 4.4.0, launched in 2011, and impacts variations as current as 8.2.2, launched on 13 June 2019.
Tens of Hundreds of Doubtlessly Affected Servers
Utilizing information from Shodan.io, we recognized roughly 50,000 potential situations of Jira. Of these, our additional analysis confirmed simply over 30,000 to be reachable Jira situations with model numbers. And of these, solely 63 had variations that had been protected from CVE-2019-11581.
In order of the day after the advisory, the overwhelming majority of web accessible Jira Server situations had susceptible variations. It might be good to point out a chart evaluating patched and unpatched variations, however there are so few safe situations they don’t seem to be seen to the human eye. As an alternative, here’s a chart of the ten most typical variations of Jira Server within the inhabitants we surveyed, none of that are within the checklist of fastened Jira Server variations.
Ten most typical Jira Server variations. None of those are patched towards CVE-2019-11581
We exported this information quickly after the advisory was launched. Since then directors have continued to take steps to remediate their vulnerabilities, and there must be fewer susceptible situations every single day. An preliminary evaluation of the prevalence of this threat, nonetheless, reveals tens of 1000’s of situations doubtlessly are doubtlessly susceptible, and that patching has been removed from common.
As a result of the vulnerability exploits the “Contact Administrators Form” for template injection, Atlassian additionally launched steerage on a piece round to disable this manner. A few of the servers that haven’t been upgraded have been secured utilizing this work round. Nonetheless, in manually checking websites that appeared to have susceptible variations, they often had not been patched since our preliminary information assortment and had not applied proof of compensating controls. The one web site the place the model had modified since our preliminary information assortment was one belonging to NASA. Good job NASA! However within the overwhelming majority of instances there was no proof the house owners had upgraded to a safe model.
Jira model from a nasa.gov website exhibiting an up-to-date and safe occasion
Moreover, customers might disable the “Contact Administrators Form.” Once more, in manually checking random websites, just one was seen that had a discover that this had been disabled.
JIRA notification
The geographic distribution of servers with susceptible variations is much like the distribution of computing methods worldwide. Most are within the US, however susceptible servers had been detected in 134 totally different international locations. Primarily each nation with a digital financial system doubtless has Jira servers that could possibly be affected by this vulnerability.
The hostnames for Jira Servers can present perception into the sorts of organizations affected. Of the servers with susceptible variations, 69 included .gov within the URL. These servers had been hosted in 16 totally different international locations, creating potential threat for a lot of authorities features.
Â
Variety of Jira Servers in every nation with .gov addresses and unpatched model
Nonetheless many susceptible servers there are at this time, there must be fewer tomorrow and fewer the day after that. That stated, there are nonetheless a whole lot of doubtlessly susceptible Jira servers, and defending towards information loss as a consequence of this vulnerability requires figuring out each whether or not your group has a susceptible occasion and whether or not your distributors are operating unpatched Jira servers.
Contact us if you would like to verify your Jira Server or Jira Knowledge Middle editions for this vulnerability.
Able to see Cybersecurity in motion?
Prepared to save lots of time and streamline your belief administration course of?
