cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Gal_Goldshtein
F5 Employee
F5 Employee

Recently a Server Side Template Injection vulnerability was discovered in Atlassian Jira. The vulnerability allows attackers to achieve Remote Code Execution on unpatched Jira instances.

 

Jira uses the Apache Velocity template engine in order to render various email notification templates that are sent to the users during the day to day work with the system. Velocity allows Java functions to be called and Java objects to be used alongside the standard HTML content that defines the email template.

 

The vulnerability root cause is in Jira’s administrators contact form which allows users to report issues via email directly to the system administrators. This feature is disabled by default and can only be enabled when an SMTP server is configured in Jira.

 

0151T000003kVuvQAE.png

 

Figure 1: Jira Contact Administrator Form

 

 

 

0151T000003kVv0QAE.png

 

Figure 2: Jira Contact Administrator Velocity Template File

 

 

 

Before Jira was patched the subject field of the form was directly inserted to the template as a string and was not escaped correctly by binding it into a Velocity variable. This allowed anyone who submits the form to inject valid Velocity code into the template which will later be interpreted once the template is rendered.

 

0151T000003kVv5QAE.png

 

Figure 3: Jira Contact Administrator unpatched Java code

 

 

 

After the patch the Java code that binds the user input into the Velocity template was changed by creating an additional Velocity variable for the subject field.

 

0151T000003kVvAQAU.png

 

Figure 4: Jira Contact Administrator patched Java code

 

 

 

Mitigating the vulnerability with BIG-IP ASM

 

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability, as the exploitation attempt will be detected by an existing Java code injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System.

 

 

 

In addition we will release an additional signature specific to this vulnerability in the upcoming ASM Security Update.

 

 

 

0151T000003kVvFQAU.png

 

Figure 5: Exploitation attempt blocked by signature id 200003437.

Version history
Last update:
‎15-Jul-2019 13:29
Updated by:
Contributors