Atlassian's Response to the OpenSSLv3 Vulnerability

On November 1, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.

Are Cloud instances affected?

We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian cloud products that use vulnerable versions of OpenSSL 3.x. To date, our analysis has not identified any compromise of Atlassian systems or customer data prior to patching these systems.

Is my on-premises Server/Data Center instance affected?
Investigation and assessment of the impact of this vulnerability on the Atlassian DC/Server products is continuing. We are taking action to patch and mitigate the impact of this vulnerability on all Atlassian Server and Data Center products that use vulnerable versions of OpenSSL 3.x.

Atlassian has also found that publicly provided Docker images contain the vulnerable version of OpenSSL version 3.0. Atlassian is in the process of updating these images with OpenSSL version 3.0.7.

Are Atlassian Marketplace apps affected?

The Atlassian Ecosystem Security team has been actively reviewing Cloud, Data Center, and Server apps to determine if they are vulnerable to the OpenSSL vulnerability. So far, we have not discovered this vulnerability in Marketplace apps. We will continue to review apps over the next few days until we holistically cover each Marketplace app. If we discover vulnerable apps, we will report that vulnerability in the Atlassian Marketplace Security (AMS) vulnerability management tool, and assign it a “High” severity, which is in line with industry scoring.

For more information about Atlassian’s Security Big Fix Policy, please visit .

Atlassian encourages all developers and Marketplace Partners to determine if they are using a vulnerable OpenSSL version, and to immediately upgrade to OpenSSL 3.0.7, if applicable. For further information, please see the OpenSSLv3 advisory:

This advice is subject to change as new information comes to light. We will share updates here as we learn any new information.

11 comments

Comment

Log in or Sign up to comment
Casper Hjorth Christensen November 3, 2022

Hi @Bill Marriott 

Is there any update on what On-Prem Atlassian products and their versions are affected?

Like # people like this
Yinneth Milena Gonzalez Olaya November 3, 2022

Is there any update?. What si the affected products and versions ??? 

Bill Marriott
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2022

Hi all,

We wanted to share another update on our investigation and analysis regarding any impact to Atlassian products due to vulnerabilities found in OpenSSL version 3.x.

Cloud instances

After internal review, Atlassian has determined that none of our cloud offerings directly use the vulnerable versions of OpenSSL 3.x. All related public infrastructure has also been scanned and no instances of the vulnerable versions of OpenSSL were discovered.

On-Premises Server/Data Center products

Our team has determined that our Server and Data Center products are not packaged with OpenSSL, however, the Atlassian products do use the version that is present on the host system as a dependency. Atlassian strongly recommends customers check their systems for vulnerable versions of the OpenSSL library and update to 3.0.7, if applicable. For further information, please see the OpenSSLv3 advisory: .

For customers using Docker, new images containing an update to OpenSSL 3.0.7 have been pushed to our public Atlassian Docker images. The updated image can be acquired by re-pulling the tag.

Marketplace apps

Our Ecosystem Security team has determined that Server and Data Center apps do not include vulnerable OpenSSL packages and they are not directly vulnerable.

Cloud apps developed on Forge do not include OpenSSL packages and are also not vulnerable. We continue to investigate Cloud apps developed on Connect and if we discover vulnerable apps, we will report that vulnerability in the Atlassian Marketplace Security (AMS) Jira project.

Like # people like this
Keith November 3, 2022

Thanks for the update Bill!

Christian Bär November 7, 2022

Hello Bill,

how do I have to understand this: "however, the Atlassian products do use the version that is present on the host system as a dependency. "

OpenSSL is not installed by default at least on Windows systems. So how can there be a dependency? 



Like # people like this
Bill Marriott
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 7, 2022

Hi @Christian Bär , thanks for your question. Apologies, it would've been more accurate of us to say that Atlassian products may use the version that is present on the host system as a dependency.

Atlassian’s (downloadable) Server and Data Center products use the host operating system SSL Library, so if you have enabled SSL on your own installations of Atlassian products, we strongly recommend you check the OpenSSL version you have installed and apply the necessary fixes.

If you have any additional questions, please raise a support ticket at support.atlassian.com and our team will be able to assist you.

Rex November 7, 2022

@Bill Marriott We see above that the security issue has been resolved for all containers. But in newer Atlassian containers the openssl version appears as 3.0.2. Has it not been applied yet? Or is there no problem with the relevant patch applied even if the version is lower? If you have a page with related content, please share it.

ex) https://hub.docker.com/r/atlassian/bamboo


root@e87e4c576367:/var/atlassian/application-data/bamboo# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Kalyan Kumar
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 8, 2022

Hi @Rex

The Atlassian-provided Docker images have been updated to include the latest security updates available for OpenSSL which fixes CVE-2022-3602 or CVE-2022-3786.

Depending on how the Linux distribution patches and releases these updates, you may see a different version than 3.0.7.

For Ubuntu, which some of our Docker images are based off of, the version of OpenSSL that addresses these vulnerabilities is 3.0.2-0ubuntu1.7.

You can check the installed version of OpenSSL with {{apt list --installed | grep openssl}} to confirm which version is installed.

Rex November 8, 2022

Thanks @Kalyan Kumar :)

I also received an official response with an Atlassian support ticket and checked related materials. Thank you very much.

https://ubuntu.com/security/notices/USN-5710-1

 

root@bambooAgent:/var/atlassian/application-data/bamboo-agent# apt list --installed | grep openssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.7 amd64 [installed,automatic]
Dirk De Mal November 16, 2022

Hi @Kalyan Kumar

Any news on the cloud apps regarding the vulnerability?

Thx for your response.

Kind regards,

Dirk

Dave December 6, 2022

Thank you for the update(s) above...much appreciated.

Thank you,

Dave

TAGS
AUG Leaders

Atlassian Community Events