Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Wanted: Single Source of Truth for Public Vulnerabilities

Boris Berenberg - Atlas Authority
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 27, 2019

As an Atlassian Partner, we deal with customers who have a variety of applications, running at different versions, deployed in a variety of environments. The combination of factors means that they are exposed to a different risks than how a security issue is evaluated within Atlassian. To better serve our clients, we work to evaluate all new security issues we come across in relation to their specific environmental factors. Earlier this week we were made aware of https://careers.tenable.com/blogs/tenable-blog-3d217a4e-277d-42b7-b180-a04ae4d88426/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in-jira by a client of ours who we're in the middle of helping to migrate to AWS. This was an embarrassing moment for us that we were not yet aware of this issue.

To address this, we wanted to find a single source of truth for public vulnerabilities that we could subscribe to. Our initial idea was to set up a Filter Subscription in JAC, however the current model for handling security issues doesn't have a good way for us to JQL for issues made recently public. For example, we cannot use JQL such as

Security was in "Atlassian Staff" 

The best thing we have today is

comment ~ "CVSS" and project not in ("Sourcetree For Mac", "Sourcetree for Windows", atlassian-seraph, "Migration Platform", "JIRA Software Cloud", "Confluence Cloud","Jira Service Desk Cloud","Jira Cloud (including JIRA Core)", "Portfolio for JIRA Cloud",Identity,atlassian-http,"Atlassian Cloud",HipChat,"Atlassian Access") and type = bug and updated > -1d

Which works, but also pulls in more than it needs to.

We would love to see some kind of change implemented where we could rely on JAC to be able to tell us if something new has come out in the last few N amount of time.

We're currently evaluating subscribing to NVD and other feeds as well. We would love to hear feedback from Atlassian on how they believe we (or a client admin team) should be handling this.

3 comments

Comment

Log in or Sign up to comment
Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 27, 2019

I use the JQL

project = JRASERVER AND labels = advisory ORDER BY updated DESC

which produces an anonymous RSS feed of

https://jira.atlassian.com/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?jqlQuery=project+%3D+JRASERVER+AND+fixVersion+%3D+7.13.9&tempMax=1000

So the newly released issues will at least appear in my feed

Like Daniel Eads likes this
David Yu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 27, 2019

Recommend also keeping tabs on tweetdeck for "jira" + cve, or atlassian cve. You'll sometimes get details not found else where, or hear about exploits trending from existing minor vulnerabilities. For example: https://twitter.com/samwcyo/status/1177044709396627456

Mark Adams
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2019

Hi @Boris Berenberg - Atlas Authority

I'd try using the following query:

project in (JSWSERVER, JSDSERVER, JRASERVER, JPOSERVER, CONFSERVER, BSERV, BAM, FE, CRUC, CWD, "Jira Align") and issuetype = bug AND labels = advisory ORDER BY resolutiondate DESC

That should give you a feed of all of the security advisories for our Server products as they are published.

Thanks!

Mark Adams
Sr. Product Security Engineer, Atlassian

Like # people like this
TAGS
AUG Leaders

Atlassian Community Events