On November 1, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.
Are Cloud instances affected?
We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian cloud products that use vulnerable versions of OpenSSL 3.x. To date, our analysis has not identified any compromise of Atlassian systems or customer data prior to patching these systems.
Is my on-premises Server/Data Center instance affected?
Investigation and assessment of the impact of this vulnerability on the Atlassian DC/Server products is continuing. We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian Server and Data Center products that use vulnerable versions of OpenSSL 3.x.
Atlassian has also found that publicly provided Docker images contain the vulnerable version of OpenSSL version 3.0. Atlassian is in the process of updating these images with OpenSSL version 3.0.7.
Are Atlassian Marketplace apps affected?
The Atlassian Ecosystem Security team has been actively reviewing Cloud, Data Center, and Server apps to determine if they are vulnerable to the OpenSSL vulnerability. So far, we have not discovered this vulnerability in Marketplace apps. We will continue to review apps over the next few days until we holistically cover each Marketplace app. If we discover vulnerable apps, we will report that vulnerability in the Atlassian Marketplace Security (AMS) vulnerability management tool, and assign it a “High” severity, which is in line with industry scoring.
For more information about Atlassian’s Security Big Fix Policy, please visit Security Bug Fix Policy.
Atlassian encourages all developers and Marketplace Partners to determine if they are using a vulnerable OpenSSL version, and to immediately upgrade to OpenSSL 3.0.7, if applicable. For further information, please see the OpenSSLv3 advisory: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog
This advice is subject to change as new information comes to light. We will share updates here as we learn any new information.
Bill Marriott
Trust & Security
Atlassian
Sydney
4 accepted answers
11 comments