Atlassian Jira Contact Administrator Server Side Template Injection (CVE-2019-11581)
Recently a Server Side Template Injection vulnerability was discovered in Atlassian Jira. The vulnerability allows attackers to achieve Remote Code Execution on unpatched Jira instances.
Jira uses the Apache Velocity template engine in order to render various email notification templates that are sent to the users during the day to day work with the system. Velocity allows Java functions to be called and Java objects to be used alongside the standard HTML content that defines the email template.
The vulnerability root cause is in Jira’s administrators contact form which allows users to report issues via email directly to the system administrators. This feature is disabled by default and can only be enabled when an SMTP server is configured in Jira.
Figure 1: Jira Contact Administrator Form
Figure 2: Jira Contact Administrator Velocity Template File
Before Jira was patched the subject field of the form was directly inserted to the template as a string and was not escaped correctly by binding it into a Velocity variable. This allowed anyone who submits the form to inject valid Velocity code into the template which will later be interpreted once the template is rendered.
Figure 3: Jira Contact Administrator unpatched Java code
After the patch the Java code that binds the user input into the Velocity template was changed by creating an additional Velocity variable for the subject field.
Figure 4: Jira Contact Administrator patched Java code
Mitigating the vulnerability with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability, as the exploitation attempt will be detected by an existing Java code injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System.
In addition we will release an additional signature specific to this vulnerability in the upcoming ASM Security Update.
Figure 5: Exploitation attempt blocked by signature id 200003437.