April 2024 Security Bulletin Community Post

Hi @Lee Berg ~ honestly, it's incredibly frustrating to have just upgraded only to learn we have to upgrade again.  At least this month, we only have to upgrade JSM and not Confluence.  Still....very disappointing.  😣

You are once again giving the misleading impression that there are no security gaps "in the cloud". As if software from the same company suddenly becomes magically free of any bugs and security flaws just because it is offered as a service...

When will you finally be honest, assign CVEs for security vulnerabilities in your cloud services and, above all, communicate them?

Love the disclosures but unfortunately it is very frustrating to upgrade almost every month.

Especially for customers running both Jira Software and JSM . When one is affected they are both affected.

I wish patching would be as easy as patching a single component instead of upgrading the whole thing.

Hello @Lee Berg ,

According to the bulletin page, Confluence version 8.5.7 is listed in both the affected and fixed versions.

However, in the linked ticket - CONFSERVER-95099, it states that 8.57 is the fixed version.

Please review the documentation and make the required correction. Thank you.

Why isn't CONFSERVER-94957 mentioned in today's published Bulletin, if that is what necessitates upgrade from Confluence 8.5.7 to 8.5.8 LTS?

@Bipin Brahmanandan - Great Catch! We've removed 8.5.7 from the affected column. We had this left over from an older draft as we had a ticket that turned out to be a False Positive. Thank you for your diligence and letting us know!

Hey - @Rohit Paul 

Unfortunately that ticket was inadvertently published. The data in that JAC ticket is incorrect and Confluence is NOT affected. We excluded this ticket from the bulletin purposefully but somehow it was published via automation despite being on our exclusion list We've since unpublished that JAC ticket - Please ignore and thanks for letting us know!

Could you please confirm whether JSM 5.4.18 is alright, because the details are varying in fixed versions and affected version from the bulletin to ticket and to CVE-2023-52428

Hey Sam!  Sorry I am unable to @ you...

The team just reviewed the details on this ticket and I would direct you to the following comment for clarity:  https://jira.atlassian.com/browse/JSDSERVER-15248

For those relying on 5.4 LTS, the fix was delivered on 5.4.19 bugfix version.
Upgrading to version 5.4.19 or higher (such as 5.4.20) is advised.

Hi, 
Just wanting to see if Jira SM 9.12.7 (Lts) is meant to be in the fixed versions?
You specifically call it out in Jira Software "9.12.6 to 9.12.7 (LTS)" but only 9.12.6 for SM.

Appreciate the alerts that we now are getting for any CVE.

@Lee Berg 

Kudos voor the bulletins!

Can you give me more information about:

• the status regarding the product Bitbucket Data Center and Server? It isn't part of this bulletin.
• why the March Bulletin mentioned the vulnerability CVE-2024-21634 not for Jira and Confluence? The CVE was published on 1st of march '24.

Thanks & krgds!

@Lee Berg maybe overlooked...is it possible to clearify? Thanks!

Hi @Lee Berg ,
Can you please ensure Confluence server 8.5.5 is listed in affected release and not only 8.5.0 it would be helpful for searaching ....
[CONFSERVER-95099] DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Confluence Data Center and Server - Create and track feature requests for Atlassian products.

makes no results but.... 

We already discussed this a few weeks ago and hoped you would consider it once for all :-(
It would be really great to have reliable information....

To be honest it's getting worse, from one bulletin to another ...

You list "new" fixes for versions which were already part of last bulletin (versions/releases don't change their contents over time, or at least they shouldn't) - why ?
Are Atlassians internal processes broken - was CVE-2024-21634 planned to publish in the march bulletin, and you forgot about it ?

You released new Bugfix LTS Versions for Jira SM & SW (9.4.20/5.4.20; 9.12.7/5.12.7) on 11-Apr-2024 and the release notes state the following: "this release patches security vulnerabilities and doesn't resolve any public issues. [...]" - Do we have to wait for the next Bulletin, to see which security issues are fixed and which not ?
So why are these fixes not included/listed in the April-Bulletin ?
--> Release Date Bug-/Security-fix Versions 11-Apr < Security Bulletin released on April 15.
Even though it's not the smartest idea - I'll give you the excuse that it might was necessary to wait for 9.15.1 (to list it as fixed version in the latest Version (Bugfix Policy)).

Another annoying thing - In case of dependency vulnerabilities, Atlassian most of the time only provides a "copy-paste" text of description and evaluation of the vulnerability from the official CVE record - so no one knows if a vulnerability is even exploitable in the application context.

Overall - For us there is no possibility of planning (at least for Jira SW/SM this time) - should we update to the latest bugfix versions (9.4.20/5.4.20; 9.12.7/5.12.7) now, should we wait ~ 4 more weeks as within this time frame there will be most likely a new release, which could also contain security fixes which might also part of the may bulletin, will these have a high impact to the application (and not only in it's "raw" form of a libary) - We don't know... :/ 

This upgrade and upgrade again and upgrade again paradigm works for more nimble organizations, but when your business requirements dictate you go from LTS to LTS version and learn the upgrade notes didn't point to the right minor revision of the software to go around those bugs, you have failed as a vendor. For example - our last LTS upgrade in Jira DC was 8.x to 9.12.1 per the upgrade path notes, yet none of them covered the email bugs or security fixes for 9.12.X and now our organization is being heavily impacted by this. 

This simply isn't viable for a Jira instance being maintained at 99.99% uptime, which we do. We deeply appreciate and use your security releases - these are a step in the right direction! Can the upstream processes feeding into this and the upgrade notes please be thoroughly reviewed and adjusted? Thanks!

Had issues upgrading Confluence Data Center 8.8.1 to 8.9.0. 

com.hazelcast.nio.serialization.HazelcastSerializationException: There is no suitable de-serializer for type 1485060. This exception is likely caused by differences in the serialization configuration between members or between clients and members.

Hey @HAEGELIN Sacha 👋

The Affected Versions Field on JAC PSV (Jira.Atlassian.com - Public Security Vulnerability) tickets are often NOT comprehensive due to on the Affected Version field having a limitation on the count of versions allowed. In many instances this has caused us to specify "Base" versions ex: 8.5.0 instead of all versions: 8.5.1, 8.5.2, 8.5.3, etc.

When Searching JAC, when using an "=" search on affected version I'd recommend searching for the base version ex: 8.5.0 instead of 8.5.5, and reviewing the fixed versions or utilizing the description details to determine if you version is affected. I know this isn't an ideal experience but if you are utilizing our Jira tickets to determine if your product is affected this will provide the best results.

Thankfully as you have seen the portal **does** have logic to properly interpret Ranges between Fixed and Affected Versions so this should not be a concern in the portal, feel free to specify you exact version!