Workaround for ScriptRunner Server/Data Center

Code Execution Vulnerability

(SRPLAT-876)

 
This workaround concerns the security vulnerability recently identified in ScriptRunner Server and Data Center.
Details of the vulnerability can be found on the issue ticket SRPLAT-876. The below information concerns the temporary workaround for this vulnerability.

If you are unable to upgrade your version of ScriptRunner immediately then, as a temporary workaround, you can block requests to the following endpoint:

<base_url>rest/scriptrunner/*/remote-events/

To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/are denied.

Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.

IMPORTANT: Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties.

 

Example: Apache HTTPD Reverse Proxy

Apache 2.4 Syntax

Add the following into the .conf file that contains the virtualhost that proxies to the Atlassian application.

<LocationMatch "/rest/scriptrunner/.*/remote-events/">

   Require all denied

</LocationMatch>

Example:

<VirtualHost *:80>

    ServerName jira.example.com

 

    ProxyRequests Off

    ProxyVia Off

    <Proxy *>

         Require all granted

    </Proxy>

    ProxyPass /jira  http://ipaddress:8080/jira

    ProxyPassReverse /jira  http://ipaddress:8080/jira

 

    <LocationMatch "/rest/scriptrunner/.*/remote-events/">

        Require all denied

    </LocationMatch>

</VirtualHost>

 

Apache 2.2 Syntax

Add the following into the .conf file that contains the virtualhost that proxies to the Atlassian application

<LocationMatch "/rest/scriptrunner/.*/remote-events/">

   Order Allow,Deny

   Deny from  all

</LocationMatch>

Example

<VirtualHost *:80>

    ServerName jira.example.com

 

    ProxyRequests Off

    ProxyVia Off

    <Proxy *>

         Require all granted

    </Proxy>

    ProxyPass /jira  http://ipaddress:8080/jira

    ProxyPassReverse /jira  http://ipaddress:8080/jira

 

    <LocationMatch "/rest/scriptrunner/.*/remote-events/">

         Order Allow,Deny

         Deny from  all

    </LocationMatch>

</VirtualHost>

 

Example: Tomcat urlrewrite.xml

Redirect requests to /rest/scriptrunner/.*/remote-events/.* to a safe URL

  1. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>

<from>/rest/scriptrunner/.*/remote-events/.*</from>

<to type="temporary-redirect">/</to>

</rule>

  1. Save the urlrewrite.xml
  2. Restart Jira

Have more questions?

Please raise a support request referencing SRPLAT-876. 

Raise support request