Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security advisory email on 26 Feb

Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 26, 2014

Hi All

We all received an email from Atlassian on 26th Feb 2014 (yesterday) about a critical security vulnerability that affects all downloaded versions of jira, confluence, crucible, fisheye bamboo and stash. And the solution recommended was to upgrade to a certain release.

My question is:

- If upgrade is not an option, what are our other options?

- Do we know what the security vulnerability is and we can then try to fix it until we upgrade.

Rahul

Answer
Watch
Like Be the first to like this
168 views

2 answers

1 accepted

2 votes
Answer accepted
JohnA
JohnA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 26, 2014
Hi Rahul,

Assuming that you are using supported versions of our products, meaning versions that have not passed their End Of Support Life then patches are available but in the event that your are not using a version which can be patched then you will need to upgrade to a supported version and then patch.

The security issue is a critical vulnerabilty that can lead an attacker to privilege escalation, so it is an important issue that affects all customers who host their installations of our products, (OnDemand customers need not worry because their instances are already upgraded to fixed versions of our applications). You didn't mention which products you are worried about so I have included links to each of the advisories below, which explain the options for the various products:


I only really work with JIRA and Confluence, but as I understand it JIRA's advisory is the most complicated because there are two other security issues that also need to be mitigated IF the application is being run on Windows. This is all described in the JIRA security advisory page linked above.

All the best,
John
View More Comments
Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 26, 2014

Thanks John for the details. That helps.

Like
Reply
0 votes
JohnA
JohnA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 26, 2014

Hi Rahul,

This is just a quick note to let you (and others) know that I am preparing an answer for your enquiry now and I will post a public comment shortly.

All the best,
John

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events