Atlassian has disclosed a critical vulnerability in some of its products that could be exploited to enable remote attackers to execute arbitrary code in some Jira Data Center products.
The vulnerability tracked as CVE-2020-36239 exists in Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center products.
The vulnerability is the result of a missing authentication flaw in Jira’s implementation of Ehcache, which is a widely used open source cache that’s used by Java applications to enhance performance and scalability.
Last month, cybersecurity researchers from Check Point Research found security flaws in Atlassian’s collaboration software and developer tools, which could potentially be exploited to launch a SolarWinds-like supply-chain attack.
Exploiting the newly patched flaw in the Jira Data Center products, remote attackers could connect to Ehcache’s RMI (remote method invocation) ports without being asked for any authentication information, giving them the opportunity to execute arbitrary code of their choice in Jira via object deserialization.
In an email announcement seen by BleepingComputer, Atlassian is urging its enterprise customers to upgrade to the patched versions of these products without delay.
Atlassian has also published workarounds for customers who can’t immediately update the affected instances, which basically involves restricting access to the Ehcache RMI ports on the affected products to only cluster instances.