Atlassian has released new versions of Jira Server and Jira Data Centre that address a critical vulnerability which has lived in the code for almost 8 years.
The vulnerability, CVE-2019-11581 is a server-side template injection vulnerability.
According to the security advisory from Atlassian:
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:
- an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
- an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.
In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with “JIRA Administrators” access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
What is a server-side template injection vulnerability?
Web applications use template systems such as Twig in order to easily include dynamic content in web pages and emails. Applications such as Wikis, blogs, content management systems and marketing systems are frequently designed around template systems.
The web application evaluates or interprets the template statements and executes server-side code as a result. In a similar way to PHP code being interpreted on the server to output HTML code which is sent to the user’s browser, template systems allow for rapid development of user facing web pages. In many cases, Twig included, the template system produces PHP code for execution on the server.
If there is a defect in the sandboxing of the template’s interpreter it is possible to inject commands into the template which are then executed on the server. This could happen, for example, though the data entered into a form on a web page. This is somewhat analogous to SQL Server Injection Attacks which pass SQL commands in data fields which are then executed by the database engine.
Template injection vulnerabilities can be very difficult to detect, and are best addressed through web application penetration testing.