For this issue to be exploitable, the attacker needs to meet any one of the following conditions:
In any of the cases, exploitation of this issue helps an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
The official post reads, “All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability.”
To address this issue, the team has fixed this vulnerability in the 8.2.3, 8.1.2, 8.0.3, 7.13.5, 7.6.14 versions of Jira Server and Jira Data Center. Atlassian recommends that users upgrade to the latest version.
For mitigating, users can first disable the Contact Administrators Form and then also block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be easily achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly.
However, blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users. Hence, after upgrading Jira, users can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint.
To know more about this news, check out Jira security advisory.
JIRA 101
Gadgets in JIRA
Securing your JIRA 4