Dataplane Security Notice 2016-03-09

Notice Date: March 9, 2016

Overview

Arsenale is advising customers of a critical-rated security issue in Arsenale Dataplane for JIRA.

The latest version of Arsenale Dataplane (2.3.3) and all subsequent releases contain a fix for this vulnerability. This vulnerability was introduced in Dataplane 2.0.

This vulnerability allows remote code execution with the privileges of the JIRA process. To exploit the vulnerability, the attacker needs to be authenticated against JIRA, have been granted access to use Dataplane, and have been granted permission to use Dataplane Customizer Scripts.

This issue was discovered internally by Arsenale during a routine security audit and we are not aware of any instances of customer systems being exploited.

As of this writing, the most recent version of Dataplane (2.3.3) can be downloaded from the link below or updated directly through the JIRA add-on manager:

For users who are unable to upgrade to Dataplane 2.3.3 or higher, Arsenale has prepared patch releases for the prior major versions of Dataplane that are impacted by the vulnerability. The following versions of Dataplane incorporate a backported fix for the issue:

Questions

If you have any questions, please contact us at Arsenale Support.