Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2022-42889

Jan Milata
Jan Milata October 20, 2022

Hello,

I would like to ask you (in general) which applications from Atlassian platform are impacted by vulnerability CVE-2022-42889 and what is the statement from Atlassian.

Thank you a lot.

Jan

 

Watch
Like Be the first to like this
6621 views

3 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Answer accepted
Alex Koxaras _Relational_
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 21, 2022

Ηι @Jan Milata 

Please take a look at this https://community.atlassian.com/t5/Confluence-questions/Does-Confluence-server-7-13-7-use-Apache-Commons-Text-v-1-5-1-9/qaq-p/2167474 where a member of the Atlassian team replies. Currently Atlassian is investigating.

View More Comments
Jan Milata
Jan Milata October 21, 2022

Hi Alex,

Thank you. I found this discussion earlier and also regarding Bamboo (https://community.atlassian.com/t5/Bamboo-questions/Does-Atlassian-bamboo-server-7-2-4-use-Apache-Commons-Text-ver-1/qaq-p/2165500).

I am looking for statement for all Atlassian applications in general.

Jan

Like
Alex Koxaras _Relational_
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 21, 2022

@Jan Milata there isn't one yet. I would suggest to watch this page https://www.atlassian.com/trust/security/advisories for any news concerning CVEs affecting Atlassian products

Like # people like this
Jan Milata
Jan Milata October 21, 2022

I'm already monitoring that, but it is updated according to fixes (till August 2022 currently). Customers want to know impacts earlier than with patch.

Like el_schalo likes this
Alex Koxaras _Relational_
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 21, 2022

Maybe then this will help https://confluence.atlassian.com/security/articles-951406100.html

Like Bill Sheboy likes this
Jan Milata
Jan Milata October 21, 2022

Thank you for the recommendation.

Like Alex Koxaras _Relational_ likes this
Viktor Hulmik
Viktor Hulmik
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 24, 2022

Hello @Alex Koxaras _Relational_ , I would like to ask regarding jira datacenter if the CVE-2022-42889 is affecting it. Need similar confirmation to bamboo or confluence which was given out but nothing for jira yet. Need this for our security colleagues as this is marked as a high vulnerability.

Thank you very much
Regards
Viktor

Like
Alex Koxaras _Relational_
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 24, 2022

@Viktor Hulmik read this https://community.atlassian.com/t5/Bamboo-questions/Does-Atlassian-bamboo-server-7-2-4-use-Apache-Commons-Text-ver-1/qaq-p/2165500 and watch this https://confluence.atlassian.com/security/articles-951406100.html

Like
Viktor Hulmik
Viktor Hulmik
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 25, 2022

Thanks @[deleted] but that does not really tell me if the jira software datacenter is beeing affected and we need to hotfix something urgently...

I could not find anything in the manifest regarding the 'text' or 'common' here:

https://packages.atlassian.com/maven/repository/public/com/atlassian/jira/jira-software-application/8.20.13/jira-software-application-8.20.13.pom

 But we do have the .jar file which is affected in binaries.

Will wait for additional information.

Thank you

Like
Alex Koxaras _Relational_
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 25, 2022

@Viktor Hulmik you can't find anything, because Atlassian still didn't release a statement yet! How you are going to hotfix something, if you don't know that something needs to be fixed. Kindly wait for Atlassian's response.

Like
Monty
Monty October 26, 2022

I've opened a support ticket requesting official response for Jira. What I got as a response from support was "Our security team has completed review of the vulnerability and confirmed that Jira is not vulnerable as it does not use the StringSubstitutor interpolator.".

My investigation has found that there are 4 different versions in our 8.22.6 install.
Jira Core: commons-text-1.6.jar
Atlassian Navigation Links Plugin: commons-text-1.5.jar
[Atlassian] Opensocial Plugin: commons-text-1.7.jar
Atlassian OAuth Service Provider Plugin: commons-text-1.9.jar

@atlassian- although the "calls/interops" aren't used, the vulnerable libs are still in the application and could potentially be used as an attack vector by malicious actors.

Like the Log4j CVE, this needs to be addressed and the impacted libs need to be updated to 1.10.0.

Like # people like this
Like
Reply
0 votes
Monty
Monty November 7, 2022

Ticket has been created for tracking...

[JRASERVER-74501] Upgrade Apache Commons-text for CVE-2022-42889 - Create and track feature requests for Atlassian products.

 

Would suggest watching, voting, and posting all updates/questions to the above ticket. 

Reply
0 votes
el_schalo
el_schalo November 6, 2022

Three weeks later, I still could not find any statement from Atlassian on the CRITICAL (score 9.8!) Text4Shell vulnerability CVE-2022-42889 - especially not on Atlassian Security Board nor the Atlassian Security Advisories.
But at least the latest Jira 8 (v8.22.6) is affected: our OPS is going to shut down our JIRA instance due to findings of commons-text in the vulnerable versions 1.5, 1.6, 1.7, and 1.9!
So why doesn't Atlassian take care of this problem?

View More Comments
el_schalo
el_schalo November 6, 2022

BTW: there are only two "Jira" Jira-Issues by now - one for Bamboo, the other for Bitbucket. Both are claiming not to be affected. Still no Jira Software bug report for this issue?

Unfortunately, I can't create one on https://support.atlassian.com/ since our Jira instance is self-hosted.

Who can?!

Like
Like
Reply
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events