CVE-2020-36239

Name of the Vulnerable Software and Affected Versions Jira Data Center versions 6.3.0 through 8.5.16 Jira Data Center versions 8.6.0 through 8.13.8 Jira Data Center versions 8.14.0 through 8.17.0 Jira Core Data Center versions 6.3.0 through 8.5.16 Jira Core Data Center versions 8.6.0 through 8.13.8 Jira Core Data Center versions 8.14.0 through 8.17.0 Jira Software Data Center versions 6.3.0 through 8.5.16 Jira Software Data Center versions 8.6.0 through 8.13.8 Jira Software Data Center versions 8.14.0 through 8.17.0 Jira Service Management Data Center versions 2.0.2 through 4.5.16 Jira Service Management Data Center versions 4.6.0 through 4.13.8 Jira Service Management Data Center versions 4.14.0 through 4.17.0

Description The issue is related to a missing authentication vulnerability in the Ehcache RMI network service, which can allow remote attackers to execute arbitrary code in Jira through deserialization. The vulnerability can be exploited by connecting to the service on port 40001 and potentially 40011. Atlassian suggests restricting access to the Ehcache ports to only Data Center instances. Fixed versions of Jira will require a shared secret to allow access to the Ehcache service. In some versions, the Ehcache object port can be randomly allocated.

Recommendations For Jira Data Center versions 6.3.0 through 8.5.16, update to version 8.5.16 or later. For Jira Data Center versions 8.6.0 through 8.13.8, update to version 8.13.8 or later. For Jira Data Center versions 8.14.0 through 8.17.0, update to version 8.17.0 or later. For Jira Core Data Center versions 6.3.0 through 8.5.16, update to version 8.5.16 or later. For Jira Core Data Center versions 8.6.0 through 8.13.8, update to version 8.13.8 or later. For Jira Core Data Center versions 8.14.0 through 8.17.0, update to version 8.17.0 or later. For Jira Software Data Center versions 6.3.0 through 8.5.16, update to version 8.5.16 or later. For Jira Software Data Center versions 8.6.0 through 8.13.8, update to version 8.13.8 or later. For Jira Software Data Center versions 8.14.0 through 8.17.0, update to version 8.17.0 or later. For Jira Service Management Data Center versions 2.0.2 through 4.5.16, update to version 4.5.16 or later. For Jira Service Management Data Center versions 4.6.0 through 4.13.8, update to version 4.13.8 or later. For Jira Service Management Data Center versions 4.14.0 through 4.17.0, update to version 4.17.0 or later. As a temporary workaround, consider restricting access to the Ehcache ports to only Data Center instances.