Security
Overview
JEMH provides access to JIRA via email for issue creation, as well as custom field updates, workflow transitions etc, as well as some additional features to interactive users for outbound mail sending (specifically AdHoc notifications). There are security considerations in all areas, this page is designed to (start to) describe them in sufficient detail to inform any security related vulnerabilities that may exist for a given configuration.
Critical Vulnerability Exploit (CVE) handling process
As an Atlassian Marketplace app we follow the https://developer.atlassian.com/platform/marketplace/vulnerability-management-for-marketplace-apps/ process. We follow the https://developer.atlassian.com/platform/marketplace/security-bugfix-policy/ for security related issues/CVE’s where we would log such issues through the Atlassian Marketplace Security (AMS) project : https://ecosystem.atlassian.net/jira/software/c/projects/AMS/issues/ for tracking and to establish our target remediation.
Data Center Customer notifications
Depending on the level of the CVE we may notify customers at this point. This would be driven by the technical contact found from the Atlassian billing system (applies to Data Center customers only), allowing a mail merge notification.
When a remediation and a fix has been made available, we will issue a further/final notification to that effect, again for Data Center customers only.
Server Customer notifications
We can’t guarantee notify Server customers directly as we don’t centrally store end user technical contacts. A request would be made to Atlassian for technical contact info for Server customers, enabling a mail merge notification.
There will be a blog entry on our app space (here) as well as obvious references in the app release notes. Customers of Server can subscribe to the Marketplace App entry to be notified of new versions.
Sources of CVE
The JEMH Server/DC app has an active Bug Bounty rewards programme run by #1 Crowdsourced Cybersecurity Platform | Bugcrowd where researchers can log vulnerabilities.
Advising us of a CVE
Demonstrable CVE exploits can be logged by anyone directly through our support portal https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1, we do not pay out for vulnerabilities logged in this way.
Attack Scenarios
Access via Email
Attack Type | Attack Description | Mitigation |
---|---|---|
Unauthorized access | Anyone on the planet can send an email, unauthorized users, bots, scripts, anything can target an smtp address if its known, this can result in spam or worse, a denial of service (DOS) attack. |
|
Email Forgeries | Anyone with a suitable routing mail server can initial email and present any sender address they like. This Effectively sets the remote users email address to mimic another user, potentially internal, with elevated security. Email is inherently insecure. |
|
Privilege Escalation | In general, anyone can combine the above two attacks to craft emails that will pass default JIRA mail handler and JEMH message checks, allowing comments or attachments to be added to issues. | There is no mitigation currently. Emails are taken at face value, if the sender is 'userx@domain.com' then the email is processed as that user, comments and attachments are created and attributed to that user. |
Directive abuse | JEMH support Directives, a way to update any field on a JIRA issue that can be updated. Anyone who can edit issues can edit fields. JEMH Directives can be used for this in unexpected ways if it is enabled |
|
Mailbombs | Suitably crafted emails can result in out of memory problems causing a DOS scenario |
|
|
|
|
Interactive Users
Attack Type | Attack Description | Mitigation |
---|---|---|
Unauthorized Profile Changes | A user can defeat any profile level security setting |
|
Unauthorized use of AdHoc Notifications | Anyone authorized to use JEMH AdHoc Notifications can by nature set an arbitrary recipient, as well as set the from: address details. |
|
DOS due to webaccess | Any interaction with JIRA can trigger all related addons to re-evaluate license status, in some cases, this load can result in a DOS. JIRA user-facing UI features that trigger licensing checks are:
|
|
Feel free to log any security related concerns through our support portal: https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1