Jira Desk Server ºÍ Data CenterÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2019-11-11

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-15003£¬£¬ £¬ £¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬ £¬ £¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-15004£¬£¬ £¬ £¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬ £¬ £¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Jira Service Desk Server andJira Service Desk Data Center

version < 3.9.17

3.10.0 <= version < 3.16.11

4.0.0 <= version < 4.2.6

4.3.0 <= version < 4.3.5

4.4.0 <= version < 4.4.3

4.5.0 <= version < 4.5.1


Îó²î¸ÅÊö


Atlassian Jira Service Desk ServerºÍAtlassian Jira Service Desk Data Center¶¼ÊÇ°Ä´óÀûÑÇAtlassian¹«Ë¾µÄ²úÆ·¡£¡£¡£¡£¡£¡£Atlassian Jira Service Desk ServerÊÇÒ»Ì×ITЧÀĮ́ÓëÇëÇó¸ú×ÙϵͳµÄЧÀÍÆ÷°æ¡£¡£¡£¡£¡£¡£¸ÃϵͳÖ÷ÒªÓÃÓÚÎüÊÕ¡¢¸ú×ÙºÍÖÎÀíÍŶӿͻ§µÄÇëÇ󡣡£¡£¡£¡£¡£Atlassian Jira Service Desk Data CenterÊÇAtlassian Jira Service DeskµÄÊý¾ÝÖÐÐÄ°æ±¾¡£¡£¡£¡£¡£¡£±£´æÈçÏÂÎó²î£º


ÐÅϢй¶Îó²îCVE-2019-15003ºÍ·¾¶±éÀúÎó²îCVE-2019-15004£¬£¬ £¬ £¬£¬£¬Ê¹ÓÃÎó²î£¬£¬ £¬ £¬£¬£¬¹¥»÷Õß¿ÉÒÔÉó²éÒ×Êܹ¥»÷µÄʵÀýÖаüÀ¨µÄËùÓÐJiraÏîÄ¿ÖеÄËùÓÐÎÊÌâ¡£¡£¡£¡£¡£¡£Õâ¿ÉÄÜ°üÀ¨Jira Service DeskÏîÄ¿£¬£¬ £¬ £¬£¬£¬Jira CoreÏîÄ¿ºÍJira SoftwareÏîÄ¿¡£¡£¡£¡£¡£¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC/EXP¡£¡£¡£¡£¡£¡£


ÐÞ¸´½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼¸üУ¬£¬ £¬ £¬£¬£¬ÈçÏ£º


4.5.1 can be downloaded from https://www.atlassian.com/software/jira/service-desk/update

4.4.3 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update

4.3.5 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update

4.2.6 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update

3.16.11 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update

3.9.17 which can be downloaded from https://www.atlassian.com/software/jira/service-desk/update


»º½â²½·¥£º


CVE-2019-15003


1. ÔÚ·´ÏòÊðÀí»ò¸ºÔØƽºâ¼¶±ð×èÖ¹¶Ô°üÀ¨jspa£¬£¬ £¬ £¬£¬£¬jpsx£¬£¬ £¬ £¬£¬£¬jspµÄJiraµÄÇëÇ󣬣¬ £¬ £¬£¬£¬»òÕß½«JiraÉèÖÃΪ½«°üÀ¨jspa£¬£¬ £¬ £¬£¬£¬jspx£¬£¬ £¬ £¬£¬£¬jspµÄÇëÇóÖض¨Ïòµ½Çå¾²URL


2. ½«ÒÔÏÂÄÚÈÝÌí¼Óµ½[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xmlµÄ<urlrewrite>²¿·ÖÖУ¬£¬ £¬ £¬£¬£¬ÉúÑÄÒÔÉϸü¸Äºó£¬£¬ £¬ £¬£¬£¬ÖØÐÂÆô¶¯Jira£º


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨



CVE-2019-15004


1. ÔÚ·´ÏòÊðÀí»ò¸ºÔØƽºâ¼¶±ð×èÖ¹¶Ô°üÀ¨..µÄJiraµÄÇëÇ󣬣¬ £¬ £¬£¬£¬»òÕß½«JiraÉèÖÃΪ½«°üÀ¨..µÄÇëÇóÖض¨Ïòµ½Çå¾²URL


2. ½«ÒÔÏÂÄÚÈÝÌí¼Óµ½[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xmlµÄ<urlrewrite>²¿·ÖÖУ¬£¬ £¬ £¬£¬£¬ÉúÑÄÒÔÉϸü¸Äºó£¬£¬ £¬ £¬£¬£¬ÖØÐÂÆô¶¯Jira£º


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨



²Î¿¼Á´½Ó


https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html