New versions of Jira Data Center as well as the Service Management version for Data Center (“Jira Service Management Data Center”) eliminate a security hole that Atlassian classifies as critical. Under certain conditions, remote attackers could have misused them to execute any code of their choice in the context of the Jira software. Data center admins should study the version information in the available security information and initiate an update if necessary.
Jira Cloud products (Atlassian Cloud, Jira Cloud and Jira Service Management Cloud) as well as Jira Server and Service Management issues that are not data center-specific are expressly not affected by the loophole with ID CVE-2020-36239 (” Non-Data Center instances “).
More information and updates
CVE-2020-36239 is based on Ehcache, free software for converting caches in Java applications. According to Atlassians Advisory, attackers in vulnerable Jira product versions could have accessed an Ehcache RMI network service via port 40001 and possibly also 40011 without prior authentication. However, this would only have been possible with port configurations that allow such access and are not restricted to data center instances as recommended by Atlassian.
Detailed information on CVE-2020-36239 as well as an overview of all vulnerable and fixed software versions can be found in Atlassians Advisory: