You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
On November 1, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.
Are Cloud instances affected?
We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian cloud products that use vulnerable versions of OpenSSL 3.x. To date, our analysis has not identified any compromise of Atlassian systems or customer data prior to patching these systems.
Is my on-premises Server/Data Center instance affected?
Investigation and assessment of the impact of this vulnerability on the Atlassian DC/Server products is continuing. We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian Server and Data Center products that use vulnerable versions of OpenSSL 3.x.
Atlassian has also found that publicly provided Docker images contain the vulnerable version of OpenSSL version 3.0. Atlassian is in the process of updating these images with OpenSSL version 3.0.7.
Are Atlassian Marketplace apps affected?
The Atlassian Ecosystem Security team has been actively reviewing Cloud, Data Center, and Server apps to determine if they are vulnerable to the OpenSSL vulnerability. So far, we have not discovered this vulnerability in Marketplace apps. We will continue to review apps over the next few days until we holistically cover each Marketplace app. If we discover vulnerable apps, we will report that vulnerability in the Atlassian Marketplace Security (AMS) vulnerability management tool, and assign it a “High” severity, which is in line with industry scoring.
For more information about Atlassian’s Security Big Fix Policy, please visit Security Bug Fix Policy.
Atlassian encourages all developers and Marketplace Partners to determine if they are using a vulnerable OpenSSL version, and to immediately upgrade to OpenSSL 3.0.7, if applicable. For further information, please see the OpenSSLv3 advisory: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog
This advice is subject to change as new information comes to light. We will share updates here as we learn any new information.
Trust & Security
4 accepted answers