Atlassian has disclosed a essential vulnerability in a few of its merchandise that could possibly be exploited to allow distant attackers to execute arbitrary code in some Jira Knowledge Heart merchandise.
The vulnerability tracked as CVE-2020-36239 exists in Jira Knowledge Heart, Jira Core Knowledge Heart, Jira Software program Knowledge Heart, and Jira Service Administration Knowledge Heart merchandise.
The vulnerability is the results of a lacking authentication flaw in Jira’s implementation of Ehcache, which is a broadly used open source cache that’s used by Java applications to enhance performance and scalability.
Last month, cybersecurity researchers from Check Point Research found security flaws in Atlassian’s collaboration software and developer tools, which could potentially be exploited to launch a SolarWinds-like supply-chain attack.
Exploiting the newly patched flaw in the Jira Data Center products, remote attackers could connect to Ehcache’s RMI (remote method invocation) ports without being asked for any authentication information, giving them the opportunity to execute arbitrary code of their choice in Jira via object deserialization.
In an email announcement seen by BleepingComputer, Atlassian is urging its enterprise customers to upgrade to the patched versions of these products without delay.
Atlassian has also published workarounds for patrons who can’t instantly replace the affected cases, which principally entails limiting entry to the Ehcache RMI ports on the affected merchandise to solely cluster cases.