Regarding the recently announced critical security advisory for CVE-2022-0540 regarding Authentication bypass in JIRA Server, is this still a critical vulnerability if the JIRA instance is confined to the internal network only and is not accessible from the internet?
That's a question only you and your org's security team (if you have one) can answer for sure. If you trust everyone with access to your internal network, then it may not be so critical for you because only people on your internal network would be able to exploit it.
On the FAQ, we have added an answer to that question as well:
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope (e.g. affected products, and in this case, affected apps) and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event