Atlassian JIRA

White Paper: IT Project Management

Atlassian JIRA is a bug localization, problem tracking and project management application designed to facilitate these processes.

JIRA features

• Manage errors, capabilities, tasks, enhancements, or any problem.
• Simple and powerful user interface designed for both business and technical users.
• Track changes, components, and versions.
• A complete system of text search and powerful filtering.
• Customizable dashboards and real-time statistics.
• Enterprise Access and Security Management.
• Easily expands and integrates with other systems (including email, RSS, Excel, XML, and source management).
• Runs on almost any hardware, operating systems, and database platform.

2023

FSTEC warned of dangerous vulnerability in Jira

The Federal Service for Technical and Export Control in December 2023 warned that a dangerous vulnerability was found in Atlassian's Jira development tool. Its code in the NOS FSTEK BDU:2023-08497^[1], and the danger is estimated as 9.8 out of 10 according to the CVSS methodology. "Exploitation of the vulnerability can allow an attacker acting remotely to execute arbitrary code by spoofing the application server (implementing a spoofing attack)," warns FSTEC.

Agents of Atlassian management tools such as Jira Service Management DC & Server (versions 1.0 to 3.1.11) and Cloud according to version 6.1.14 are vulnerable. The danger is due to the fact that agents used in conjunction with these products do not reliably authenticate the management server. Therefore, the attacker has the opportunity to pass off his control server as legitimate and force the agent to execute malicious commands from an outsider.

Although Atlassian no longer works with Russian users, nevertheless, quite a lot of its products are still installed in Russian companies. In particular, the Netlas search engine shows that it discovered about 1.3 thousand Jira servers in Russia, which is in third place in the distribution of this product in the world. Russia is second only to the United States (3.1 thousand servers) and Germany (2.9 thousand servers) in popularity of Jira.

However, for Russian users there is a problem with installing updates - these vulnerabilities are fixed in versions 3.2 for DC & Server and 6.2 for Cloud. The developers themselves^[2] - to update vulnerable products to secure versions as soon as possible to eliminate vulnerabilities. Moreover, first you need to remove vulnerable agents, then install the update and only then install new versions of agents. The recommendations of the FSTEC are as follows:

Due to the current situation and the imposed sanctions against the Russian Federation, it is recommended to install software updates only after assessing all associated risks. Compensatory measures: removal of asset discovery agents Assets Discovery; Restricting access to the 51337 port use of firewalls to limit the possibility of remote access.

Beeline data breach

In early March 2023, information appeared that the attackers posted a database containing 1.5 GB of Beeline data. The information was stolen from the company's account on the Jira service. Read more here.

2021

Warning of possible risks of incorrect configurations

Varonis On December 3, 2021, the company announced that errors in organizing access to Jira could lead to compromise data of employees and projects of hundreds of companies, including those on the Fortune 1000 list. The likelihood of such a risk was identified by Varonis experts who analyzed 812 subdomains corporate sites. Subdomains provide access to Jira environments, through which 3774 dashboards, 244 projects and 75629 entries containing addresses and e-mail, URL IP addresses are available.

The study found that the Jira REST API provides access to much more data than the web interface. This feature of the API is not vulnerable and only manifests itself in the event of incorrect configuration of access rights. However, Jira administrators may be misled and inadvertently open access to sensitive data.

So, during the monitoring of the systems of one of the logistic companies, the Jira control panel was discovered in the public domain, which contained public URLs of the company's confidential systems. In another case (we are talking about one financial of the organizations), Varonis experts found that due to an error with access rights, the email addresses of bank employees were in the public domain. In both cases information , it could be used by cybercriminals to conduct or phishing attacks attempt to hack corporate systems.

Jira is an Atlassian service that is used to organize software development teams. One of its elements is the information panels used by Team Management. Dashboard permissions can be configured by system administrators. Due to the inaccurate wording used earlier in the access control interface, Jira administrators could mistakenly provide access to Jira information panels to everyone. A few years ago, Atlassian fixed this vulnerability, but globally disabling open access does not automatically remove public permissions from Jira objects - you need to reconfigure the sharing settings on each control panel. The Varonis research team found that more open data could be extracted using the REST API Jira. Using the REST API, an attacker can write a simple script to scan the company's Jira account and quickly extract confidential data.

Uncorrected errors can be used by cybercriminals to obtain both general information (project name, composition of its participants) and detailed information - URLs of the company's information systems, email addresses of its employees, including addresses of system administrators. All this data can be used to carry out attacks on the infrastructure: sending phishing emails, hacking systems using brute force passwords or known vulnerabilities.

It is worth recalling that errors associated with organizing access to information systems of companies are recognized as the most significant risk by the OWASP Foundation web application security community. The reason for such a serious assessment of this risk category is the use by companies of a huge number of SaaS applications, many of which are integrated with each other and can be compromised due to the erroneous configuration of third-party services, said Daniel Gutman, head of Varonis in Russia.

Varonis experts believe that due to an error with access rights to Jira panels, 3,000 email addresses, 5,500 IPv4- and more than 60,000 URLs of corporate information systems could have been compromised.

Varonis recommends that all organizations using Jira in both cloud and on-premium infrastructures audit access policies for their systems. To do this, you can use a special service from Atlassian, which describes all the measures necessary to eliminate errors. In addition, administrators can check access rights in the Jira (Settings-System-Global Permissions) settings.

Inclusion in Gartner Quadrant

In recent years, an increasing number of companies have been used Agile to manage development. As the State of Agile 2021 report, prepared by Digital.ai, showed, in 2021 there was an explosive growth in the implementation of this methodology "from 37% in 2020 to 86% in 2021, and in IT - from 26% to 60%, respectively. As Gartner experts noted: "The pandemic has required companies to rapidly implement new processes, practices and technologies to support changes in the way products and services are delivered." Among the leaders was the company Atlassian with the Jira solution. More. here

2020: Addressing a vulnerability to get sensitive user information

Positive Technologies expert Mikhail Klyuchnikov has identified a vulnerability in Jira components - systems for tracking errors, organizing user interaction and project management. PT reported this on October 16, 2020.

The vulnerability allowed obtaining confidential information about system users. The products of the developer Jira - Atlassian - as of October 2020 are used by 170 thousand customers in more than 190 countries.

Such vulnerabilities significantly save the attacker time: they make it possible to determine the presence of an account with one or another login in the system, - said Mikhail Klyuchnikov. - By enumerating various logins, it turns out which users are present in the system. If there is no login, the system will inform about it, if there is, it will also give out personal data (if they are entered into the system). After brute-force the existing logins, the attacker could go to the selection of passwords for each existing user. In the absence of this vulnerability, an attacker has to blindly brute-force passwords to logins that may not be on the system. The vulnerability reduces the hacker's labor costs and reduces the likelihood of detecting an attack, which ultimately makes the target more attractive to the hacker. And so we strongly recommend updating.

The security flaw received a CVE-2020-14181 ID and a rating of 5.3, which corresponds to the average level of danger. The reason for the error is due to the ability to access a specific scenario for any unauthorized user. The vulnerability affected Jira Server and Data Center. The company has published updates in which this error has been fixed. The vulnerability was fixed in versions 7.13.6, 8.5.7 and 8.12.0 of the products.

2017: Microsoft Project + Atlassian Jira

Main article: SysSoft: Stack of solutions for project management

On September 18, 2017, SysSoft introduced the project management solution stack, which presents the Microsoft Project and Atlassian Jira project management systems. The proposal is intended to help in the formation of a single environment that is equally convenient both for the management of companies, project managers and economists, and for the development team.

2012

JIRA 5.2

• Features of the new JIRA 5.2 navigator make the search more powerful and faster (without restarting the page);
• Background indexing;
• New characteristics and settings of tools;
• Implementing webhooks notifications.

JIRA 5.1 EAP 1

JIRA 5.1 EAP 1 (or milestone 2, or 'm2') is a public release of a new upcoming version of the JIRA 5.1 product. The release allows JIRA users to look ahead to the functionality of the upcoming global product update. This release also allows developers of additional JIRA modules to test their modules for compatibility with the new version of the product.

New features of JIRA 5.1 according to 2012 data:

• Quick editing of applications;
• Cancel page redrawing during requisition operations;
• Improved overall product performance;
• More convenient editing of the workflow;
• Quickly add users to JIRA through the special invitation mechanism;
• Simplified creation of links between applications;
• Auto-subscription and tracking of the creator of applications for their applications;
• The ability to test and debug the JIRA database.