On 10 July 2019, Atlassian released a security advisory for a critical severity vulnerability in most versions of Jira Server and Jira Data Center. The vulnerability was introduced in version 4.4.0, released in 2011, and affects versions as recent as 8.2.2, released on 13 June 2019.
The good news is that users of Jira Cloud are not affected. But how many organizations are running Jira Server or Jira Data Center, and are vulnerable to this attack?
Tens of Thousands of Potentially Affected Servers
Using data from Shodan.io, we identified approximately 50,000 potential instances of Jira. Of those, our further research confirmed just over 30,000 to be reachable Jira instances with version numbers. And of those, only 63 had versions that were safe from CVE-2019-11581.
So as of the day after the advisory, the vast majority of internet accessible Jira Server instances had vulnerable versions. It would be nice to show a chart comparing patched and unpatched versions, but there are so few secure instances they are not visible to the human eye. Instead, here is a chart of the ten most common versions of Jira Server in the population we surveyed, none of which are in the list of fixed Jira Server versions.
We exported this data soon after the advisory was released. Since then administrators have continued to take steps to remediate their vulnerabilities, and there should be fewer vulnerable instances every day. An initial assessment of the prevalence of this risk, however, shows tens of thousands of instances potentially are potentially vulnerable, and that patching has been far from universal.
Because the vulnerability exploits the "Contact Administrators Form" for template injection, Atlassian also released guidance on a work around to disable this form. Some of the servers that have not been upgraded have been secured using this work around. However, in manually checking sites that appeared to have vulnerable versions, they generally had not been patched since our initial data collection and had not implemented evidence of compensating controls. The only website where the version had changed since our initial data collection was one belonging to NASA. Good job NASA! But in the vast majority of cases there was no evidence the owners had upgraded to a secure version.
Additionally, users could disable the "Contact Administrators Form." Again, in manually checking random sites, only one was seen that had a notice that this had been disabled.
The geographic distribution of servers with vulnerable versions is similar to the distribution of computing systems worldwide. Most are in the US, but vulnerable servers were detected in 134 different countries. Essentially every nation with a digital economy likely has Jira servers that could be affected by this vulnerability.
The hostnames for Jira Servers can provide insight into the types of organizations affected. Of the servers with vulnerable versions, 69 included .gov in the URL. Those servers were hosted in 16 different countries, creating potential risk for many government functions.
However many vulnerable servers there are today, there should be fewer tomorrow and fewer the day after that. That said, there are still a lot of potentially vulnerable Jira servers, and protecting against data loss due to this vulnerability requires knowing both whether your organization has a vulnerable instance and whether your vendors are running unpatched Jira servers.
Contact us if you'd like to check your Jira Server or Jira Data Center editions for this vulnerability.