===================================================================== CERT-Renater Note d'Information No. 2023/VULN521 _____________________________________________________________________ DATE : 08/12/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Automation for Jira (A4J), Marketplace App, Automation for Jira (A4J) - Server Lite Marketplace App, Bitbucket Data Center and Server, Confluence Data Center and Server, Confluence Cloud Migration App (CCMA), Jira Core Data Center and Server, Jira Software Data Center and Server, Jira Service Management Data Center and Server. ===================================================================== https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-impacts-multiple-products-1296171009.html _____________________________________________________________________ CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products Summary CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products Advisory Release Date Tue, Dec 05 2023 21:00 PST Products Automation for Jira app (including Server Lite edition) Bitbucket Data Center Bitbucket Server Confluence Data Center Confluence Server Confluence Cloud Migration App Jira Core Data Center Jira Core Server Jira Service Management Data Center Jira Service Management Server Jira Software Data Center Jira Software Server CVE ID CVE-2022-1471 Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. Severity Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment. Affected Versions This RCE (Remote Code Execution) vulnerability affects all versions listed in the table below. Atlassian recommends patching to the latest version or a fixed LTS version. Product Affected Versions Automation for Jira (A4J) Marketplace App Automation for Jira (A4J) - Server Lite Marketplace App 9.0.1 9.0.0 <= 8.2.2 Bitbucket Data Center and Server 7.17.x 7.18.x 7.19.x 7.20.x 7.21.0 7.21.1 7.21.2 7.21.3 7.21.4 7.21.5 7.21.6 7.21.7 7.21.8 7.21.9 7.21.10 7.21.11 7.21.12 7.21.13 7.21.14 7.21.15 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.x 8.6.x 8.7.x 8.8.0 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.9.0 8.9.1 8.9.2 8.9.3 8.10.0 8.10.1 8.10.2 8.10.3 8.11.0 8.11.1 8.11.2 8.12.0 Confluence Data Center and Server 6.13.x 6.14.x 6.15.x 7.0.x 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x 7.7.x 7.8.x 7.9.x 7.10.x 7.11.x 7.12.x 7.13.0 7.13.1 7.13.2 7.13.3 7.13.4 7.13.5 7.13.6 7.13.7 7.13.8 7.13.9 7.13.10 7.13.11 7.13.12 7.13.13 7.13.14 7.13.15 7.13.16 7.13.17 7.14.x 7.15.x 7.16.x 7.17.x 7.18.x 7.19.0 7.19.1 7.19.2 7.19.3 7.19.4 7.19.5 7.19.6 7.19.7 7.19.8 7.19.9 7.20.x 8.0.x 8.1.x 8.2.x 8.3.0 Confluence Cloud Migration App (CCMA) Plugin versions lower than 3.4.0. Jira Core Data Center and Server Jira Software Data Center and Server 9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1 Jira Service Management Data Center and Server 5.4.0 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.4.10 5.4.11 5.4.12 5.5.x 5.6.x 5.7.x 5.8.x 5.9.x 5.10.x 5.11.0 5.11.1 What You Need To Do Atlassian recommends that you patch each of your affected product installations to the latest version or one of the listed fixed versions below. Product Action Automation for Jira (A4J) Marketplace App Automation for Jira (A4J) - Server Lite Marketplace App Patch to the following fixed versions or later 9.0.2 8.2.4 Mitigation(s) Upgrade via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info. Bitbucket Data Center and Server Patch to the following fixed versions or later 7.21.16 (LTS) 8.8.7 8.9.4 (LTS) 8.10.4 8.11.3 8.12.1 8.13.0 8.14.0 8.15.0 (Data Center Only) 8.16.0 (Data Center Only) Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. Confluence Data Center and Server Patch to the following fixed versions or later 7.19.17(LTS) 8.4.5 8.5.4(LTS) 8.6.2 (Data Center Only) 8.7.1 (Data Center Only) Fixed in the following versions The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities. Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. Confluence Cloud Migration App (CCMA) Patch to the following fixed version or later 3.4.0 Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. Jira Core Data Center and Server Jira Software Data Center and Server Patch to the following fixed versions or later 9.11.2 9.12.0 (LTS) 9.4.14 (LTS) Mitigation(s) If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+). Jira Service Management Data Center and Server Patch to the following fixed versions or later 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required. Mitigation(s) If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info (also bundled with JSM 5.11+). For a full description of the latest versions, see the release notes for your product below. Automation for Jira (A4J) Marketplace App Bitbucket Data Center and Server Confluence Data Center and Server Confluence Cloud Migration App (CCMA) Jira Core Data Center and Server Jira Service Management Data Center and Server Jira Software Data Center and Server You can download the latest version for your product from the download center: Automation for Jira (A4J) Marketplace App (Jira/JSW 9+ & JSM 5+ upgrade via Universal Plugin Manager (UPM)) Automation for Jira (A4J) - Server Lite Marketplace App Bitbucket Data Center and Server Confluence Data Center and Server Confluence Cloud Migration App (CCMA) Jira Core Data Center and Server Jira Service Management Data Center and Server Jira Software Data Center and Server Related Tickets BSERV-14528 CONFSERVER-91463 JSWSERVER-24756 JSDSERVER-14906 Frequently Asked Questions More details can be found on the Frequently Asked Questions (FAQ) page. Support If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/contact/#/. References Security Bug Fix Policy As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Security Levels for Security Issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. Last modified on Dec 6, 2023 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================