Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2024-3094 xz/liblzma

Giampiero Celluprica
Giampiero Celluprica April 4, 2024

Are Jira Cloud products affected by CVE-2024-3094 xz/liblzma described at the following links?

 

Description:

  • XZ Utils is a collection of open-source tools and libraries for XZ compression format present in major Linux distributions. Stable versions of most Linux distributions were not affected.
  • On Friday 29th March a Microsoft software engineer has discovered a backdoor in xz/liblzma version 5.6.0 nd 5.6.1
  • The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server in order to allow specific remote attackers to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine.
  • CISA recommends developers and users to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable (CISA - Remediation)
  • You could download and execute cve-2024-3094-detector.sh script to verify if you are vulnerable to it (Script for vulnerability detection)
Answer
Watch
Like # people like this
256 views

1 answer

0 votes
Robert Wen_ReleaseTEAM_
Robert Wen_ReleaseTEAM_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 4, 2024

Cloud products generally are not affected because as a SaaS product, Atlassian takes care of the fixes when a CVE emerges.

View More Comments
Giampiero Celluprica
Giampiero Celluprica April 4, 2024

Hi Robert,

Thanks for your answer. However, if I have correctly understood, Atlassian release a Security Bulletin (https://www.atlassian.com/trust/security/advisorieson the third Tuesday of every month, so we need to wait till 16th April to know if a patch has been applied (in case it was needed).

Due to the criticality of this vulnerability I would have expected an official communication from Atlassian in short time to let the customers know that their products were not affected or that the vulnerability was promptly fixed... 

Like Toño likes this
MattD
MattD April 4, 2024

"Stable versions of most Linux distributions were not affected."

I'd be very surprised if Atlassian had updated the OS in their Cloud hosts recently enough to run into this problem. 

But yes, it would be helpful to have an official communication from Atlassian that says "no worries, mates!"

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events