Jira Security Advisory 2022-04-20

이 문서는 CVE-2022-0540 - Authentication bypass in Seraph 관련 Jira 보안 취약성 공지와 조치사항에 대한 정보를 공유하기 위해 작성되었다.

Jira Security Advisory 2022-04-20

취약점

CVE-2022-0540 - Authentication bypass in Seraph

영향받는 제품

Jira
- Jira Core Server
- Jira Software Server
- Jira Software Data Center
Jira Service Management
- Jira Service Management Server
- Jira Service Management Data Center

Jira Cloud는 영향받지 않습니다.

Jira Service Management Cloud는 영향받지 않습니다.

CVE ID(s)

CVE-2022-0540

취약점 요약

Jira 및 Jira Service Management는 웹 인증 프레임워크인 Jira Seraph 인증 우회에 취약한 것으로 판단됩니다.
이 취약성은 Jira의 핵심에 있지만 webwork1 action namespace 레벨에서 roles-required를 특정하며 action 레벨에서 특정되지 않은 Atlassian 및 다른 제조사 앱에 영향을 줍니다.
영향을 받는 특정 작업의 경우 다른 인증 또는 권한 부여 검사를 수행하지 않아도 됩니다.

인증되지 않은 원격 공격자는 영향받는 구성을 사용하는 WebWork 액션에서 인증 및 권한 요구사항을 우회하기위해
특수하게 조작된 HTTP 요청을 전송하여 이 취약성을 이용할 수 있습니다.

심각도

영향 받는 구성의 앱을 사용하는 설치의 경우 Atlassian은 이 취약점 의 심각도 수준을 critical로 평가하지만
영향 받는 앱이 추가적인 권한을 검사하는 경우 달라질 수 있습니다. 아래의 영향을 받는 앱에 대한 자세한 내용은 앱 공급업체에 문의하세요.

영향 받는 구성의 앱을 사용하지 않는 설치의 경우 Atlassian은 이 취약점의 심각도 수준을 medium으로 평가 합니다.

이것은 Atlassian의 평가이며, 자신의 IT 환경에 대한 적용 가능성으로 평가해야 합니다.

영향 받는 제품의 버전 및 수정 버전

Jira

영향받는 버전

다음의 Jira 제품이 포함됩니다.

Jira Core Server
Jira Software Server
Jira Software Data Center

8.13.18 이전의 모든 버전
8.14.x
8.15.x
8.16.x
8.17.x
8.18.x
8.19.x
8.20.x에서 8.20.6 이전의 모든 버전
8.21.x

수정된 버전

8.13.x >= 8.13.18
8.20.x >= 8.20.6
모든 버전 >= 8.22.0

Jira Core 또는 Jira Software 다운로드 페이지에서 최신 버전을 다운로드할 수 있습니다.

CVE-2022-0540에 대한 수정이 반영된 첫번째 버전 입니다. 위에 나열된 세 가지 릴리스에서 더 많은 최신 버그 수정 릴리즈를 사용할 수 있습니다.
Atlassian은 최신 버그 수정 버전으로 업그레이드할 것을 권장합니다.

Jira Service Management

영향받는 버전

다음의 Jira Sevice Management 제품이 포함됩니다.

Jira Service Management Server
Jira Service Management Data Center

4.13.18 이전의 모든 버전
4.14.x
4.15.x
4.16.x
4.17.x
4.18.x
4.19.x
4.20.x에서 4.20.6 이전의 모든 버전
4.21.x

수정 버전

4.13.x >= 4.13.18
4.20.x >= 4.20.6
모든 버전 >= 4.22.0

Jira Service Management 다운로드 페이지에서 최신 버전을 다운로드할 수 있습니다 .

CVE-2022-0540에 대한 수정이 반영된 첫 번째 버전입니다. 위에 나열된 세 가지 릴리스에 대해 최신 버그 수정 릴리스를 사용할 수 있습니다.
Atlassian은 최신 버그 수정 버전으로 업그레이드할 것을 권장합니다.

영향을 받는 add-on 확인

조건

위에 나열된 영향을 받는 Jira 또는 Jira Service Management 버전 중 하나에 설치됩니다.
CVE-2022-0540에 취약한 구성을 사용하고 있습니다.

Atlassian은 Atlassian Marketplace의 다음 앱이 CVE-2022-0540에 취약한 구성을 사용하는 것으로 확인했습니다.
Atlassian Marketplace에 나열되지 않은 앱을 사용하는 경우 개발자에게 문의하여 영향을 받는 구성을 사용 중인지 확인하세요.

이 목록에는 두 개의 Atlassian 앱이 포함되어 있습니다.

Insight - Asset Management
- 8.x 버전 및 이전 버전은 Atlassian Marcketplace에서 사용 가능합니다.
- 9.0x 버전은 Jira Service Management Server 및 Data Center 4.15.0 이상과 함께 번들로 제공됩니다.

Mobile Plugin for Jira
- Jira Server, Jira Software Server 및 Data Center 8.0.0 이상과 함께 번들로 제공됩니다.
- Jira Service Management Server 및 Data Center 4.0.0 이상과 함께 번들로 제공됩니다.

App Name	Affected Versions	Notes
Activity for Jira	Versions < 2.3.0
Activity Timeline: Resource Planning & Time Tracking	Versions < 9.1.4
Alfresco connector for Jira	Versions < 1.15.3-8
Agile Tools & Filters for Jira Software	Versions < 4.0.12
Agile User Story Map & Product Roadmap for Jira	Versions < 6.4.1
🇺🇦 Alert Catcher - Jira integration with Zabbix SIEM	Versions < 2.0.10
aqua - Test Management & Automation	All versions
ARCAD For Jira	All versions
Atlas CRM - Customers and Sales in Jira	Versions < 1.9.10
Automated Log Work for Jira	Versions < 6.9.5
AutoPage - Automated Page Creation	Versions < 2.15.0
BDQ Migration Analyst for Jira Cloud	Versions < 1.0.2
Calculated and other custom fields(JBCF) for Jira DC/Cloud	Versions < 3.1.3
Calendar for Jira	All versions	The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
🇺🇦 Cisco Finesse integration for Jira	Versions < 1.0.7
CodeRunner PRO	All versions
Comala Agile Ranking	Versions < 1.6.0
Comala Canvas for Jira	Versions < 3.0.5
Comment History for Jira	Versions < 2.2.1
Comment Security Default	Versions < 4.0.1
Connector for Salesforce and Jira Server	Versions < 1.14.1-8
Control Freak	Versions < 1.0.7
Cross filters matrix	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Custom Select List	All versions
Customfield Editor for Jira	Versions < 2.13.1
Customizable Announcements for Jira	Versions < 2.2.0
Decision Tables for Jira	Versions < 1.2.10
Default Values for 'Create Issue' screen	Versions < 4.2.8
Delegating group management	Versions < 3.0.6
Denkplan Portfolio Map for Jira	Versions < 2.2.0
Dependent Select List	All versions
Display linked issues	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Document Vault for Jira	Versions < 5.2.1
e Matrix	Versions < 3.1.2
Easy Field Template	All versions
Eclipse BIRT for SQL+JQL	Versions < 3.6.6
EduBrite LMS for Jira Service Management	Versions < 3.41.12
Elevator - Smart Issue Assignment	Versions < 3.10.2
Encryption for Jira	Versions < 1.7.21
Enterprise Mail Handler for Jira (JEMH)	Server versions < 3.3.86-server Data Center versions < 3.3.85-dc
Epic watcher	Versions < 1.0.2
Excel-like Issue Editor for Jira - Embed Spreadsheet & Table	Versions < 1.17.1.1
excentia Admin Tools for Jira	Versions < 2.13.2
Extender for Jira	Versions < 2.16.0
Feedback for Jira - Forms for website	All versions
Field Hide for Jira	All versions
Field Hide for Jira - Lite	All versions
Figma for Jira	Versions < 2.2.2
Flexible Calendar for Jira	Versions < 2.9.2
Frontu Field Service Management Add-on	All versions
Gamification for Jira	All versions
GDPR (DSGVO) and Security for Jira	Versions < 1.18.1
Gears desk for Jira	Versions < 2.4.3
Gears issue export permission	Versions < 2.4.1
Gears Lock manager for jira	Versions < 1.3.1
Gears Properties Manager	Versions < 1.5.1
Gears Usage Statistics for jira	Versions < 1.4.2
Gears worklog-restricted for Jira	All versions
Git Integration for Jira	Versions < 4.2.1
Google Analytics for Jira	All versions
Group Ambassadors	Versions < 2.4.1
Groups Plus - Attributes and delegated management	Versions < 1.0.3.15
Home Directory, Database & Log Browser for Jira	Versions < 1.34.1
ID Generator for Jira	All versions
Import Export for Jira + Structure - Microsoft Project	Versions < 1.4.6
Insight - Asset Management	Versions < 8.10.0 All 9.x versions	Bundled with Jira Service Management 4.15 and later. Customers using Jira Service Management 4.15.0 or later cannot install Insight 8.10.0 via UPM, and should install one of the updated versions of Jira Service Management noted in this advisory or see the Workarounds section below. An authenticated attacker with object schema manager permissions could exploit this vulnerability to execute arbitrary code.
InstaPrinta - Print Jira Issues directly	Versions < 2.9.0
iridion for JIRA	All versions
Issue Actions Todo	Versions < 3.1.1
Issue Linked Event for Jira	Versions < 1.12.0
Issue Search Customiser for Jira	Versions < 1.3.4
Issues Toolbox for Jira	Versions < 2.1.2
It's a Feature, Not a Bug	All versions
J2J Issue Sync	All versions
Jenkins Integration for Jira	Versions < 5.8.0
Jenkins Integration for Jira - Lite	Versions < 5.8.0
Jira Misc Custom Fields (JMCF)	Versions < 2.4.6
Jira Misc Workflow Extensions (JMWE)	Versions < 7.1.4
Jira Workflow Toolbox	Versions < 3.1.5
JsIncluder	All versions
Label Manager for Jira	Versions < 4.7.8
Legal for Jira	All versions	This app is no longer supported and has been archived.
Log Tailer for Jira	Versions < 1.2.3
Lync and Skype Connector for Jira	All versions
Message field	Versions < 4.6.6
Metadata for Jira	Versions < 4.8.6	The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Microfocus Dimensions CM Integration	All versions
ML1	All versions
Mobile Plugin for Jira Data Center and Server	Versions < 3.2.14	Bundled with Jira and JSM Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
MOCO Time Tracking for Jira	Versions < 1.3.5
Multiple Checklists for Jira	Versions < 1.17.2
My Secret Santa for Jira	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
My Service Portal	Versions < 2.1.14.20220412102158
My.com Calendar	Versions < 4.2.1
Namo Crosseditor For Jira	Versions < 1.0.13
Notify Watcher	Versions < 1.7.2
NotifyMe! - Send emails from Jira issues	Versions < 2.0.12
One-time Link	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Organizations Automation	Versions < 2.10.2
PageMe! - Create Pages from Jira Issues	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Performance Objectives: Charts for Jira	Versions < 22.4.4
PractiTest Test Management for Jira	All versions
Prevent Anonymous Access	Versions < 3.1.0
ProScheduler: Resource Planning & Gantt - Project Management	Versions < 4.1.0
Project Archiver for Jira	Versions < 1.4.0
Project Budget for Jira	Versions < 1.2.0
Project Creator	All versions
Project Documents for Jira	Versions < 3.9.1
Project Specific Select Field	Versions < 3.0.2
Project User Manager (PUM)	Versions < 1.2.5
Projectrak - Project Tracking for Jira	Versions < 8.8.2
Projektron BCS Connector for Jira	All versions
QA Craft Test Management for Jira	Server versions < 4.1.20 Data Center versions < 4.1.21
QAlity - Test Management for Jira	All versions
QAlity Plus - Test Management for Jira	All versions
Quality Tiger - Test Management for Jira	All versions
Quick Subtasks for Jira	All versions
Raley Favourites for Jira	Versions < 1.1.1
ReceiveMe! - Email handler for Jira	Versions < 2.0.17
Refined for Jira \| Sites & Themes	Versions 3.3.x < 3.3.4 Versions < 3.2.21
RemindMe for Jira	Versions < 1.3.5
Report Builder	Versions < 3.9.1
Run CLI Actions in Jira	Versions < 10.2.1
SCIM User Provisioning for Jira	Versions < 2.7.1
Search by workflows	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Secure Admin for Jira	Versions < 3.4.2
Secure Code Warrior® for Jira	All versions
Security Attachment Manager for Jira	Versions < 1.0.8
Security Fields and Attachments	All versions
Service Desk Menu for Jira	Versions < 1.4.0
SharedManager	All versions
Sign Off Plugin for Jira	Versions < 1.2.0
SIL Groovy Connector	Versions < 1.1.8
Simple Tasklists	All versions
Simple Team Pages for Jira	All versions
Simple notifications for Jira	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
SLA	All versions
Smart Checklist for Jira. Pro	All versions
Smart Issue Analyzer for Jira	All versions
Smart Issue Analyzer for Jira Align	All versions
Smart Issue Templates for Jira	Versions < 1.11.13
Sprint Capacity Planning & Tracking	All versions
SQL+JQL Driver: Transform JQL into SQL	Versions < 9.11.3
Status History	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status History PRO	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status update reminder for Jira	Versions < 1.0.4
STM for Jira	Versions < 4.4.5
Story Mapping for Jira - Pro	Versions < 3.1.0
SU for Jira	Versions < 1.14.0
Subversion ALM	Versions < 9.3.4
sumUp for Jira	Versions < 3.6.6
swarmOS Analyzer	All versions
Switch to User + Delegating SU (Jira)	Versions < 1.5.2
Sync Sub-Tasks to Parent	All versions
Team Trax: Vacation, holidays, sick leaves tracker for Jira	All versions	The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Teamworkx Issue Picker for Jira	Versions < 8.7.8
Teamworkx Issue Publisher for Jira	Versions < 12.5.1
Teamworkx OTRS Integration for Jira	Versions < 70.40.10.0
Teamworkx Push and Pull Favorites	Versions < 7.0.11.9
Telegram Bot	All versions
Template Manager	Versions < 1.4
TemplateMe! - Customized notifications	Versions < 2.8
Terms and Conditions for Jira	Versions < 2.1.0-5
Testlab for Jira	All versions
Time in status \| SLA \| Timer \| Stopwatch for Jira DC/Cloud	Versions < 5.4.2
Timeline	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Timeline for Jira	Versions < 2.0.4	The app vendor notes that all affected actions for versions < 2.0.4 enforce additional permission checks that are not vulnerable to CVE-2022-0540
Timetracker - Time Tracking & Reporting	Versions < 4.9.8
TodoMe Connector (Jira)	All versions
TodoMe for Jira	All versions
ToDos for Jira Issues	All versions
Translate Field Options for Jira	Versions < 1.3.6
Translator for Jira	All versions
Trophy - gamification for Jira	Versions < 1.0.4
UiPath Test Manager for Jira	All versions
URL Restrictions for Jira	Versions < 1.0.7
User Anonymizer for Jira (GDPR)	Versions < 2.0.5
User Availability Tracker for Jira	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
User Management by Project Administrator	Versions < 82000.1.14
User Mention Groups for the Richtext Editor	All versions
User Picker Avatar for Jira	Versions < 3.5.0
User Profiles for Jira	Versions < 2.4.5
User Switcher for Jira	Versions < 3.1.1
VCAP - Video Capture for Jira Service Management	All versions
Version & Component Sync for Jira	Versions < 2.9.7
VIP.LEAN TOOLS - Advanced Links	Versions < 1.1.4
vLinks - Easy Issue Linking	Versions < 2.3.2-25ca8af
Watch It for Jira	Versions < 3.1.2
WBS Gantt-Chart for Jira	Versions < 9.14.4.1
Whiteboards for Jira: team collaboration	Versions < 1.51.2
Who deleted my issues	All versions
Workflow Magic Box	Versions < 1.12-RELEASE
Worklog History PRO	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Worklog express	Versions < 8.5.5-SNAPSHOT
Worklogs - Time Tracking and Reports	Versions < 1.4.3
xCharts - Custom Charts & Reports for Jira	Versions < 1.7.8
xPort - Custom Worklog Export for Jira	Versions < 1.2.1
Xporter - Export issues from Jira	All versions	The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.

해결 방법

Jira 또는 Jira Service Management 수정 버전을 설치하는 것이 가장 확실한 방법입니다.
수정 버전이 설치되면 인스턴스의 모든 앱들은 CVE-2022-0540에 대하여 보호되며 더 이상 별도의 작업을 하지 않아도 됩니다.

영향 받는 앱을 사용하면서 수정 버전을 설치 할 수 없는 경우, 위의 영향받는 앱의 표를 참조하여 해당 앱의 영향을 받지 않는 버전을 사용할 수 있는지 확인하세요.
그리고 영향을 받는 모든 앱을 영향을 받지 않는 버전으로 업데이트하세요.

위의 설명된 앱을 사용중이고 모든 버전이 영향을 받는 경우, Jira 또는 Jira Service Management의 수정 버전을 설치할 때까지
앱을 사용하지 않도록 설정하여 보안 위험을 완화할 수 있습니다.

다음 버전의 Jira Service Management에서 Insight - Asset Management를 비활성화하지 마세요.

4.19.x
4.20.x < 4.20.3

이러한 버전의 Jira Service Management에서 Insight - Asset Management 를 비활성화하면 모든 Jira Service Management가 비활성화됩니다.

Insight - Asset Management 앱을 비활성화하는 방법에 대한 자세한 내용은 Jira KB 기사를 참조하세요.

FAQ

CVE-2022-0540에 대한 공통 질문은 다음 페이지 FAQ for CVE-2022-0540에 업데이트 됩니다.

페이지 트리

Jira Security Advisory 2022-04-20