===================================================================== CERT-Renater Note d'Information No. 2021/VULN588 _____________________________________________________________________ DATE : 04/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Bamboo Server and Data Center versions prior to 8.0.4, Bitbucket Server and Data Center versions prior to 7.13.2 LTS, Confluence Server and Data Center versions prior to 7.13.2 LTS, Crucible versions prior to 4.8.8, Fisheye versions prior to 4.8.8, Insight Asset Management app versions prior to 8.9.4, Jira Software Server and Data Center (including Jira Core) versions prior to 8.20.1 LTS, Jira Service Management Server and Data Center versions prior to 4.20.1 LTS. ===================================================================== https://confluence.atlassian.com/security/multiple-products-security-advisory-unrendered-unicode-bidirectional-override-characters-cve-2021-42574-1086419475.html _____________________________________________________________________ Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574 Summary CVE-2021-42574 - Unrendered unicode bidirectional override characters in multiple products Advisory Release Date 1 November 2021 12 AM UTC (Coordinated Universal Time, +0 hours) Products Bamboo Server and Data Center Bitbucket Server and Data Center Confluence Server and Data Center Crucible Fisheye Jira Service Management Server and Data Center (and Insight Asset Management app) Jira Software Server and Data Center (including Jira Core) Affected Versions Bamboo Server and Data Center All versions before 8.0.4 Bitbucket Server and Data Center All versions before 6.10.14 All versions between 7.0.0 and 7.5.2 (inclusive) All 7.6.x LTS versions before 7.6.10 All versions between 7.7.0 and 7.16.1 (inclusive) All 7.17.x LTS versions before 7.17.1 Confluence Server and Data Center All versions before 7.4.13 All versions between 7.5.0 and 7.12.5 (inclusive) All 7.13.x LTS versions before 7.13.2 Version 7.14.0 Crucible All versions before 4.8.8 Fisheye All versions before 4.8.8 Jira Service Management Server and Data Center All versions before 4.13.13 All versions between 4.14.0 and 4.19.1 (inclusive) All 4.20.x LTS versions before 4.20.1 Insight Asset Management (Marketplace app for Jira Service Management) All versions before 8.9.4 Jira Software Server and Data Center (including Jira Core) All versions before 8.13.13 All versions between 8.14.0 and 8.19.1 (inclusive) All 8.20.x LTS versions before 8.20.1 Fixed Versions Bamboo Server and Data Center 8.0.4 Bitbucket Server and Data Center 6.10.14 7.6.10 7.17.1 Confluence Server and Data Center 7.4.13 7.13.2 7.14.1 Crucible 4.8.8 Fisheye 4.8.8 Jira Service Management Server and Data Center 4.13.13 4.20.1 Insight Asset Management (Marketplace app for Jira Service Management) 8.9.4 Jira Software Server and Data Center (including Jira Core) 8.13.13 8.20.1 CVE ID CVE-2021-42574 Summary of Vulnerability This advisory discloses a high severity security vulnerability which was introduced in multiple product versions as enumerated below: Bamboo Server and Data Center All versions before 8.0.4 Bitbucket Server and Data Center All versions before 6.10.14 All versions between 7.0.0 and 7.5.2 (inclusive) All 7.6.x LTS versions before 7.6.10 All versions between 7.7.0 and 7.16.1 (inclusive) All 7.17.x LTS versions before 7.17.1 Confluence Server and Data Center All versions before 7.4.13 All versions between 7.5.0 and 7.12.5 (inclusive) All 7.13.x LTS versions before 7.13.2 Version 7.14.0 Crucible All versions before 4.8.8 Fisheye All versions before 4.8.8 Jira Service Management Server and Data Center All versions before 4.13.13 All versions between 4.14.0 and 4.19.1 (inclusive) All 4.20.x LTS versions before 4.20.1 Insight Asset Management (Marketplace app for Jira Service Management) All versions before 8.9.4 Jira Software Server and Data Center (including Jira Core) All versions before 8.13.13 All versions between 8.14.0 and 8.19.1 (inclusive) All 8.20.x LTS versions before 8.20.1 For information on how this affects Atlassian Cloud sites, see CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites If your Atlassian site is accessed via an atlassian.net domain, it is an Atlassian Cloud site. Customers who have upgraded to a version listed under Fixed Versions in the table above are not affected. Customers who have downloaded and installed a version listed under Affected Versions in the table above, please upgrade your installations immediately to fix this vulnerability. CVE-2021-42574 - Unicode bidirectional override character trojan source attack Severity Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. Acknowledgements The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. Details are disclosed at CVE-2021-42574. Fix We have taken the following steps to address this issue: Released Bamboo Server and Data Center version 8.0.4 that contains a fix for this issue. Released Bitbucket Server and Data Center versions 6.10.14, 7.6.10, and 7.17.1 that contains a fix for this issue. Released Confluence Server and Data Center versions 7.4.13, 7.13.2, and 7.14.1 that contains a fix for this issue. Released Crucible version 4.8.8 that contains a fix for this issue. Released Fisheye version 4.8.8 that contains a fix for this issue. Released Insight Asset Management marketplace app version 8.9.4 that contains a fix for this issue. Released Jira Service Management Server and Data Center versions 4.13.13, and 4.20.1 that contains a fix for this issue. Released Jira Software Server and Data Center versions 8.13.13, and 8.20.1 that contains a fix for this issue. What you need to do Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product: Bamboo Server and Data Center release notes Bitbucket Server and Data Center release notes Confluence Server and Data Center release notes Crucible release notes Fisheye release notes Jira Service Management Server and Data Center release notes Jira Software Server and Data Center release notes You can download the latest version of your product from the download center: Download Bamboo Server and Data Center Download Bitbucket Server and Data Center Download Confluence Server and Data Center Download Crucible Download Fisheye Download Insight Asset Management Download Jira Service Management Server and Data Center Download Jira Software Server and Data Center Upgrade to the version recommended below or higher. Product Action Bamboo Server and Data Centerb Upgrade to 8.0.4 or higher Bitbucket Server and Data Center Upgrade to 7.17.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. Confluence Server and Data Center Upgrade to 7.13.2 LTS or higher 7.13.x version If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. If you’re running 7.14.0, upgrade to 7.14.1 or higher Crucible Upgrade to 4.8.8 or higher Fisheye Upgrade to 4.8.8 or higher Insight Asset Management app Upgrade the app to 8.9.4 or higher This is only required if you’ve installed Insight Asset Management from the Marketplace. Jira Software Server and Data Center (including Jira Core) Upgrade to 8.20.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. Jira Service Management Server and Data Center Upgrade to 4.20.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. Mitigation The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed. Here's an example of the message when viewing a Confluence Data Center page with a code block. Support If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, check our Frequently asked questions for CVE-2021-42574, or raise a support request at https://support.atlassian.com/. References Security Bug Fix Policy As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Severity Levels for Security Issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. Atlassian Support End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. Last modified on Nov 2, 2021 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================