Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2019-15001

Eloi Serret Ballart
Eloi Serret Ballart
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 3, 2019

Hi,

In our production environment, we've made changes in web.xml trying to block PUT Requests to the vulnerable endpoint, and we recibe a 403 code response, but in headers we can see Allow=POST,OPTIONS,PUT, and it was equal before the workaround.

Is it posible that the environment is not aplying the changes on web.xml??

In a test environment, we made the workaround and then we get a response with the message "The requested method PUT is not allowed for the URL /jira/rest/jira-importers-plugin/1.0/demo/create.". But in this case, when we remove the blocking code on web.xml and restart, the endpoint is still blocked. Is posible that, in this case, the environment is not aplying the changes?

We're not sure how to be sure that the endpoint is blocked.

Server version: 7.5.3

 

Thanks for the help.
Regards.

Answer
Watch
Like Be the first to like this
511 views

1 answer

0 votes
Earl McCutcheon
Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2019

Hi Eloi,

Thanks for reaching out and first to act as a referance point the Security Advisory Workaround is posted here:

I recomend doing a quick double check on the syntax to verify it lines up with the KB, and verify that the file permissions were not altered in some way when editing, on windows the service user should have full control, on linux verifying Permissions settings can be seen here .  Next verify the Jira application was restarted. 

Then to verify the settings did take effect as covered in the KB:

try to send a PUT request to the end point<JIRA_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA

 

Examples on how to format this using a curl command can be seen here:

If the setting was correctly applied the PUT wil fail

Regards,
Earl

View More Comments
Eloi Serret Ballart
Eloi Serret Ballart
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 7, 2019

Hi Earl,

thanks for your response. Yes, i tried to send the request especified, but I'm not sure what is the result i have to recive. I attacj examples:

Test Environment:

2019-10-07 08_37_07-Postman.png

2019-10-07 08_38_09-Postman.png

Production Environment:

2019-10-07 08_41_17-Postman.png

2019-10-07 08_42_07-Postman.png

That's why I think that on Production, the changes have had no effect. In both environments I modified the same file with the same lines and restarted application.

Thanks for your attention.
Regards.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.