Atlassian is sending an email to affected customers of its Jira Data Center products in an attempt to get as many as possible to upgrade to the latest versions of the software and away from vulnerable versions. Some of Jira’s Data Center products are vulnerable to CVE-2020-36239, a flaw in Jira’s implementation of Ehcache that could allow remote unauthenticated code execution. The security advisory lists the following products as vulnerable:
- Jira Data Center
- Jira Software Data Center
- Jira Core Data Center
- Jira Service Management Data Center
Non-Data Center instances of Jira Server, Jira Service Management, Jira Cloud and Jira Service Management Cloud customers are not affected. To learn which specific versions are vulnerable and which versions of each product to update to, please see Jira’s security advisory.
CVE-2020-36239 could be trivial for attackers to exploit due to authentication checks not being implemented. Binary Defense highly recommends Atlassian customers read the advisory to see if they are running vulnerable versions of Jira products and follow instructions to update as soon as possible. Atlassian also recommends customers restrict access to Ehcache RMI ports through firewall rules. This should be done even after updating to non-vulnerable versions to limit connectivity only to other Jira nodes that need to communicate on these ports.