Hello,
I would like to ask you (in general) which applications from Atlassian platform are impacted by vulnerability CVE-2022-42889 and what is the statement from Atlassian.
Thank you a lot.
Jan
Community moderators have prevented the ability to post new answers.
Ηι @Jan Milata
Please take a look at this https://community.atlassian.com/t5/Confluence-questions/Does-Confluence-server-7-13-7-use-Apache-Commons-Text-v-1-5-1-9/qaq-p/2167474 where a member of the Atlassian team replies. Currently Atlassian is investigating.
Hi Alex,
Thank you. I found this discussion earlier and also regarding Bamboo (https://community.atlassian.com/t5/Bamboo-questions/Does-Atlassian-bamboo-server-7-2-4-use-Apache-Commons-Text-ver-1/qaq-p/2165500).
I am looking for statement for all Atlassian applications in general.
Jan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Jan Milata there isn't one yet. I would suggest to watch this page https://www.atlassian.com/trust/security/advisories for any news concerning CVEs affecting Atlassian products
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm already monitoring that, but it is updated according to fixes (till August 2022 currently). Customers want to know impacts earlier than with patch.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Maybe then this will help https://confluence.atlassian.com/security/articles-951406100.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Alex Koxaras _Relational_ , I would like to ask regarding jira datacenter if the CVE-2022-42889 is affecting it. Need similar confirmation to bamboo or confluence which was given out but nothing for jira yet. Need this for our security colleagues as this is marked as a high vulnerability.
Thank you very much
Regards
Viktor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks @[deleted] but that does not really tell me if the jira software datacenter is beeing affected and we need to hotfix something urgently...
I could not find anything in the manifest regarding the 'text' or 'common' here:
https://packages.atlassian.com/maven/repository/public/com/atlassian/jira/jira-software-application/8.20.13/jira-software-application-8.20.13.pom
But we do have the .jar file which is affected in binaries.
Will wait for additional information.
Thank you
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Viktor Hulmik you can't find anything, because Atlassian still didn't release a statement yet! How you are going to hotfix something, if you don't know that something needs to be fixed. Kindly wait for Atlassian's response.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've opened a support ticket requesting official response for Jira. What I got as a response from support was "Our security team has completed review of the vulnerability and confirmed that Jira is not vulnerable as it does not use the StringSubstitutor interpolator.".
My investigation has found that there are 4 different versions in our 8.22.6 install.
Jira Core: commons-text-1.6.jar
Atlassian Navigation Links Plugin: commons-text-1.5.jar
[Atlassian] Opensocial Plugin: commons-text-1.7.jar
Atlassian OAuth Service Provider Plugin: commons-text-1.9.jar
@atlassian- although the "calls/interops" aren't used, the vulnerable libs are still in the application and could potentially be used as an attack vector by malicious actors.
Like the Log4j CVE, this needs to be addressed and the impacted libs need to be updated to 1.10.0.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Official word from Apache
CVE-2022-42889: interpolations that allow RCE disabled in Commons Text 1.10.0 : Apache Security Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ticket has been created for tracking...
Would suggest watching, voting, and posting all updates/questions to the above ticket.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Three weeks later, I still could not find any statement from Atlassian on the CRITICAL (score 9.8!) Text4Shell vulnerability CVE-2022-42889 - especially not on Atlassian Security Board nor the Atlassian Security Advisories.
But at least the latest Jira 8 (v8.22.6) is affected: our OPS is going to shut down our JIRA instance due to findings of commons-text in the vulnerable versions 1.5, 1.6, 1.7, and 1.9!
So why doesn't Atlassian take care of this problem?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
BTW: there are only two "Jira" Jira-Issues by now - one for Bamboo, the other for Bitbucket. Both are claiming not to be affected. Still no Jira Software bug report for this issue?
Unfortunately, I can't create one on https://support.atlassian.com/ since our Jira instance is self-hosted.
Who can?!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.