has disclosed a important vulnerability in some of its products that could be exploited to enable distant attackers to execute arbitrary code in some Jira Info Center items.
The vulnerability tracked as CVE-2020-36239 exists in Jira Data Centre, Jira Main Information Center, Jira Application Knowledge Heart, and Jira Support Management Info Middle products and solutions.
The vulnerability is the consequence of a missing authentication flaw in Jira’s implementation of Ehcache, which is a greatly utilisedcache which is made use of by applications to enrich effectiveness and scalability.
Final thirty day period,scientists from Verify Position Exploration in Atlassian’s and , which could probably be exploited to launch a offer-chain attack.
Exploiting the recently patched flaw in the Jira Facts Middle goods, distant attackers could join to Ehcache’s RMI (remote approach invocation) ports without the need of currently being questioned for any authentication details, giving them the possibility to execute arbitrary code of their choice in Jira by using item deserialization.
In an e-mail announcement witnessed by BleepingComputer, Atlassian is urging its business prospects to upgrade to the patched versions of these goods without the need of delay.
Atlassian has alsofor consumers who simply cannot promptly update the afflicted instances, which fundamentally entails proscribing accessibility to the Ehcache RMI ports on the affected items to only cluster circumstances.