January 15, 2021 - JumpServer, an open-source Privileged Access Management (PAM), have found a remote execution vulnerability issue, which requires users to address it as soon as possible, especially the users who access their JumpServer through the public network.
The affected versions as follows:
JumpServer < v2.6.2
JumpServer < v2.5.4
JumpServer < v2.4.5
The safety versions as follows:
JumpServer >= v2.6.2
JumpServer >= v2.5.4
JumpServer >= v2.4.5
How to fix
It is highly recommended that users of JumpServer (including community version and enterprise version) upgrade to the safety version as soon as possible.
How to fix temporary
Please modify the Nginx configuration file to shield the vulnerable interface:
- /api/v1/authentication/connection-token/
- /api/v1/users/connection-token/
The location of the Nginx configuration file is as follows:
Previous community version
/etc/nginx/conf.d/jumpserver.conf
# Previous enterprise version
jumpserver-release/nginx/http_server.conf
# latest version
jumpserver-release/compose/config_static/http_server.confThe instance of the Nginx configuration file as follows:
### make sure it is added before /api and /
location /api/v1/authentication/connection-token/ {
return 403;
}
location /api/v1/users/connection-token/ {
return 403;
}
### add the above code
location /api/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://core:8080;
}
...Restart the Nginx service after modifying the configuration file.
Acknowledgement:
Thanks to the reactivity of Alibaba Hackerone bug bounty program (Sweden) for submitting this bug to us.
