Atlassian has released security updates to address a critical vulnerability (CVE-2020-36239) present in their Jira Data Center and Jira Service Management Data Center products. The vulnerability exists due to a missing authentication flaw in the implementation of Ehcache (an open source component) in the affected products, giving potential attackers unrestricted access to Ehcache Remote Method Invocation (RMI) ports. Successful exploitation of this vulnerability may allow an attacker to perform Remote Code Execution (RCE), which may lead to a compromise of the Jira server.
The following versions of Jira Data Center, Jira Core Data Center and Jira Software Data Center are affected:
- From version 6.3.0 to before 8.5.16 (v8.5.16 is the patched version)
- From version 8.6.0 to before 8.13.8 (v8.13.8 is the patched version)
- From version 8.14.0 to before 8.17.0 (v8.17.0 is the patched version)
The following versions of Jira Service Management Data Center are affected:
- From version 2.0.2 to before 4.5.16 (v4.5.16 is the patched version)
- From version 4.6.0 to before 4.13.8 (v4.13.8 is the patched version)
- From version 4.14.0 to before 4.17.0 (v4.17.0 is the patched version)
Administrators and users who are using affected versions of the products are advised to upgrade to the latest versions immediately, and restrict Ehcache RMI ports access to only cluster instances of Jira Data Center, Jira Core Data Center, and Jira Software Data Center, and Jira Service Management Data Center.
More information can be found here: