Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Regarding CVE-2023-49070

Asokan S
Asokan S
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 2, 2024

Hi,

Does the Security vulnerability CVE-2023-49070 affect Jira Data Center running on v9.4.2? If so, is there a workaround for this security vulnerability?

Reference - https://www.bleepingcomputer.com/news/security/apache-ofbiz-rce-flaw-exploited-to-find-vulnerable-confluence-servers/

(I know that the link says Confluence, but It says in the article that Jira has this issue)

Please advice on the same.

Thanks,

Asokan

 

Comment
Watch
Like Be the first to like this
1048 views

2 comments

Comment

Log in or Sign up to comment
Bipin Brahmanandan
Bipin Brahmanandan
Contributor
January 2, 2024

I think it's best to raise an Atlassian support ticket to get the official confirmation.

Like
Reply
SEI Information Technology
SEI Information Technology January 3, 2024

From Atlassian Support:

As per the feedback from the DC products team, Atlassian doesn’t use the OfBiz framework, instead, we are using a fork of the Entity Engine module of the Apache OfBiz project. Hence, the flaw is not confirmed to affect any of the Atlassian products.

Jira uses Atlassian's fork of the Entity Engine module of the Apache OfBiz project. It is only the Entity Engine module that we use, while vulnerability seems to be in the framework module.

Confluence does not use Apache ofbiz library/framework directly and hence is not vulnerable to CVE-2023-49070.

Like Bipin Brahmanandan likes this
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events