Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

April 2024 Security Bulletin Community Post

Hey Folks! 👋

We are back for our regularly scheduled monthly Security Bulletin for April 2024, featuring 7 Vulnerabilities for Bamboo, Confluence, Jira, and JSM. 

While we continue to work on a few things behind the scenes for our Disclosure Program, there are no notable changes to the format or functionality of the Bulletin, Portal, Jira Tickets, or Vulnerability API. 

This month's only other note/reminder is that the vulnerabilities included in monthly Security Bulletins are only for Atlassian self-managed products (Cloud products are not affected). These vulnerabilities present a lower impact than those published via Critical Security Advisories, so please take a moment to review the details of the published vulnerabilities. 

Otherwise... wow! We are about 1/3 of the way through 2024 already! How are you feeling about Atlassian Security so far in 2024? Do you have any upgrade or security-related worries? Is there anything on your wishlist for Atlassian? Our product and security folks here at Atlassian are keeping an eye on these posts, so please feel free to share any candid feedback or questions you might have! 

16 comments

Comment

Log in or Sign up to comment
Laurie Sciutti
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 16, 2024

Hi @Lee Berg ~ honestly, it's incredibly frustrating to have just upgraded only to learn we have to upgrade again.  At least this month, we only have to upgrade JSM and not Confluence.  Still....very disappointing.  😣

Like # people like this
Linux April 16, 2024

You are once again giving the misleading impression that there are no security gaps "in the cloud". As if software from the same company suddenly becomes magically free of any bugs and security flaws just because it is offered as a service...

When will you finally be honest, assign CVEs for security vulnerabilities in your cloud services and, above all, communicate them?

Like # people like this
Noni Khutane April 16, 2024

Love the disclosures but unfortunately it is very frustrating to upgrade almost every month.


Especially for customers running both Jira Software and JSM . When one is affected they are both affected.

I wish patching would be as easy as patching a single component instead of upgrading the whole thing.

Like # people like this
Bipin Brahmanandan April 16, 2024

Hello @Lee Berg ,

According to the bulletin page, Confluence version 8.5.7 is listed in both the affected and fixed versions.

However, in the linked ticket - CONFSERVER-95099, it states that 8.57 is the fixed version.

Please review the documentation and make the required correction. Thank you.

Like # people like this
Rohit Paul April 16, 2024

Why isn't CONFSERVER-94957 mentioned in today's published Bulletin, if that is what necessitates upgrade from Confluence 8.5.7 to 8.5.8 LTS?

Lee Berg
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 16, 2024

@Bipin Brahmanandan - Great Catch! We've removed 8.5.7 from the affected column. We had this left over from an older draft as we had a ticket that turned out to be a False Positive. Thank you for your diligence and letting us know!

Lee Berg
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 16, 2024

Hey - @Rohit Paul 

Unfortunately that ticket was inadvertently published. The data in that JAC ticket is incorrect and Confluence is NOT affected. We excluded this ticket from the bulletin purposefully but somehow it was published via automation despite being on our exclusion list We've since unpublished that JAC ticket - Please ignore and thanks for letting us know!

Sam
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 16, 2024

Could you please confirm whether JSM 5.4.18 is alright, because the details are varying in fixed versions and affected version from the bulletin to ticket and to CVE-2023-52428

Lee Berg
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 16, 2024

Hey Sam!  Sorry I am unable to @ you...

The team just reviewed the details on this ticket and I would direct you to the following comment for clarity:  https://jira.atlassian.com/browse/JSDSERVER-15248

For those relying on 5.4 LTS, the fix was delivered on 5.4.19 bugfix version.
Upgrading to version 5.4.19 or higher (such as 5.4.20) is advised.

Zac Boyd April 16, 2024

Hi, 
Just wanting to see if Jira SM 9.12.7 (Lts) is meant to be in the fixed versions?
You specifically call it out in Jira Software "9.12.6 to 9.12.7 (LTS)" but only 9.12.6 for SM.

Appreciate the alerts that we now are getting for any CVE.

CVE question.png

Like # people like this
D_ van den IJssel April 17, 2024

@Lee Berg 

Kudos voor the bulletins!

Can you give me more information about:

  • the status regarding the product Bitbucket Data Center and Server? It isn't part of this bulletin.
  • why the March Bulletin mentioned the vulnerability CVE-2024-21634 not for Jira and Confluence? The CVE was published on 1st of march '24.

Thanks & krgds!

@Lee Berg maybe overlooked...is it possible to clearify? Thanks!

HAEGELIN Sacha April 17, 2024

Hi @Lee Berg ,
Can you please ensure Confluence server 8.5.5 is listed in affected release and not only 8.5.0 it would be helpful for searaching ....
[CONFSERVER-95099] DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Confluence Data Center and Server - Create and track feature requests for Atlassian products.2024-04-17_10h03_49.png

makes no results but.... 

2024-04-17_10h08_10.png

 

We already discussed this a few weeks ago and hoped you would consider it once for all :-(
It would be really great to have reliable information....

Emanuel Dietrich
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 17, 2024

To be honest it's getting worse, from one bulletin to another ...

You list "new" fixes for versions which were already part of last bulletin (versions/releases don't change their contents over time, or at least they shouldn't) - why ?
Are Atlassians internal processes broken - was CVE-2024-21634 planned to publish in the march bulletin, and you forgot about it ?

You released new Bugfix LTS Versions for Jira SM & SW (9.4.20/5.4.20; 9.12.7/5.12.7) on 11-Apr-2024 and the release notes state the following: "this release patches security vulnerabilities and doesn't resolve any public issues. [...]" - Do we have to wait for the next Bulletin, to see which security issues are fixed and which not ?
So why are these fixes not included/listed in the April-Bulletin ?
--> Release Date Bug-/Security-fix Versions 11-Apr < Security Bulletin released on April 15.
Even though it's not the smartest idea - I'll give you the excuse that it might was necessary to wait for 9.15.1 (to list it as fixed version in the latest Version (Bugfix Policy)).

Another annoying thing - In case of dependency vulnerabilities, Atlassian most of the time only provides a "copy-paste" text of description and evaluation of the vulnerability from the official CVE record - so no one knows if a vulnerability is even exploitable in the application context.

Overall - For us there is no possibility of planning (at least for Jira SW/SM this time) - should we update to the latest bugfix versions (9.4.20/5.4.20; 9.12.7/5.12.7) now, should we wait ~ 4 more weeks as within this time frame there will be most likely a new release, which could also contain security fixes which might also part of the may bulletin, will these have a high impact to the application (and not only in it's "raw" form of a libary) - We don't know... :/ 

Like # people like this
Tugs Parra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 18, 2024

This upgrade and upgrade again and upgrade again paradigm works for more nimble organizations, but when your business requirements dictate you go from LTS to LTS version and learn the upgrade notes didn't point to the right minor revision of the software to go around those bugs, you have failed as a vendor. For example - our last LTS upgrade in Jira DC was 8.x to 9.12.1 per the upgrade path notes, yet none of them covered the email bugs or security fixes for 9.12.X and now our organization is being heavily impacted by this. 

This simply isn't viable for a Jira instance being maintained at 99.99% uptime, which we do. We deeply appreciate and use your security releases - these are a step in the right direction! Can the upstream processes feeding into this and the upgrade notes please be thoroughly reviewed and adjusted? Thanks!

 

Like # people like this
Ronald Moises
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 22, 2024

Had issues upgrading Confluence Data Center 8.8.1 to 8.9.0. 

 

com.hazelcast.nio.serialization.HazelcastSerializationException: There is no suitable de-serializer for type 1485060. This exception is likely caused by differences in the serialization configuration between members or between clients and members.

Lee Berg
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 24, 2024

Hey @HAEGELIN Sacha 👋


The Affected Versions Field on JAC PSV (Jira.Atlassian.com - Public Security Vulnerability) tickets are often NOT comprehensive due to on the Affected Version field having a limitation on the count of versions allowed. In many instances this has caused us to specify "Base" versions ex: 8.5.0 instead of all versions: 8.5.1, 8.5.2, 8.5.3, etc.

When Searching JAC, when using an "=" search on affected version I'd recommend searching for the base version ex: 8.5.0 instead of 8.5.5, and reviewing the fixed versions or utilizing the description details to determine if you version is affected. I know this isn't an ideal experience but if you are utilizing our Jira tickets to determine if your product is affected this will provide the best results.

Thankfully as you have seen the portal **does** have logic to properly interpret Ranges between Fixed and Affected Versions so this should not be a concern in the portal, feel free to specify you exact version!

 

TAGS
AUG Leaders

Atlassian Community Events