CVE-2024-3094 xz/liblzma

Giampiero Celluprica April 4, 2024

Are Jira Cloud products affected by CVE-2024-3094 xz/liblzma described at the following links?

 

Description:

  • XZ Utils is a collection of open-source tools and libraries for XZ compression format present in major Linux distributions. Stable versions of most Linux distributions were not affected.
  • On Friday 29th March a Microsoft software engineer has discovered a backdoor in xz/liblzma version 5.6.0 nd 5.6.1
  • The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server in order to allow specific remote attackers to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine.
  • CISA recommends developers and users to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable (CISA - Remediation)
  • You could download and execute cve-2024-3094-detector.sh script to verify if you are vulnerable to it (Script for vulnerability detection)

1 answer

0 votes
Robert Wen_ReleaseTEAM_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 4, 2024

Cloud products generally are not affected because as a SaaS product, Atlassian takes care of the fixes when a CVE emerges.

Giampiero Celluprica April 4, 2024

Hi Robert,

Thanks for your answer. However, if I have correctly understood, Atlassian release a Security Bulletin (https://www.atlassian.com/trust/security/advisorieson the third Tuesday of every month, so we need to wait till 16th April to know if a patch has been applied (in case it was needed).

Due to the criticality of this vulnerability I would have expected an official communication from Atlassian in short time to let the customers know that their products were not affected or that the vulnerability was promptly fixed... 

Like Toño likes this
MattD April 4, 2024

"Stable versions of most Linux distributions were not affected."

I'd be very surprised if Atlassian had updated the OS in their Cloud hosts recently enough to run into this problem. 

But yes, it would be helpful to have an official communication from Atlassian that says "no worries, mates!"

Like # people like this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events