Notification: Patch Released for JumpServer Vulnerability

发布于 2021年01月17日

January 15, 2021 -  JumpServer, an open-source Privileged Access Management (PAM), have found a remote execution vulnerability issue, which requires users to address it as soon as possible, especially the users who access their JumpServer through the public network.

The affected versions as follows:

JumpServer < v2.6.2

JumpServer < v2.5.4

JumpServer < v2.4.5

The safety versions as follows:

JumpServer >= v2.6.2

JumpServer >= v2.5.4

JumpServer >= v2.4.5

How to fix

It is highly recommended that users of JumpServer (including community version and enterprise version) upgrade to the safety version as soon as possible. 

How to fix temporary

Please modify the Nginx configuration file to shield the vulnerable interface:

  • /api/v1/authentication/connection-token/
  • /api/v1/users/connection-token/

The location of the Nginx configuration file is as follows:

Previous community version
/etc/nginx/conf.d/jumpserver.conf
# Previous enterprise version
jumpserver-release/nginx/http_server.conf
# latest version
jumpserver-release/compose/config_static/http_server.conf

The instance of the Nginx configuration file as follows:

### make sure it is added before /api and /
location /api/v1/authentication/connection-token/ {
   return 403;
}
 
location /api/v1/users/connection-token/ {
   return 403;
}
### add the above code
 
location /api/ {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://core:8080;
  }
 
...

Restart the Nginx service after modifying the configuration file.

Acknowledgement:

Thanks to the reactivity of Alibaba Hackerone bug bounty program (Sweden) for submitting this bug to us.