Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Wanted: Single Source of Truth for Public Vulnerabilities Edited

As an Atlassian Partner, we deal with customers who have a variety of applications, running at different versions, deployed in a variety of environments. The combination of factors means that they are exposed to a different risks than how a security issue is evaluated within Atlassian. To better serve our clients, we work to evaluate all new security issues we come across in relation to their specific environmental factors. Earlier this week we were made aware of https://careers.tenable.com/blogs/tenable-blog-3d217a4e-277d-42b7-b180-a04ae4d88426/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in-jira by a client of ours who we're in the middle of helping to migrate to AWS. This was an embarrassing moment for us that we were not yet aware of this issue.

To address this, we wanted to find a single source of truth for public vulnerabilities that we could subscribe to. Our initial idea was to set up a Filter Subscription in JAC, however the current model for handling security issues doesn't have a good way for us to JQL for issues made recently public. For example, we cannot use JQL such as

Security was in "Atlassian Staff" 

The best thing we have today is

comment ~ "CVSS" and project not in ("Sourcetree For Mac", "Sourcetree for Windows", atlassian-seraph, "Migration Platform", "JIRA Software Cloud", "Confluence Cloud","Jira Service Desk Cloud","Jira Cloud (including JIRA Core)", "Portfolio for JIRA Cloud",Identity,atlassian-http,"Atlassian Cloud",HipChat,"Atlassian Access") and type = bug and updated > -1d

Which works, but also pulls in more than it needs to.

We would love to see some kind of change implemented where we could rely on JAC to be able to tell us if something new has come out in the last few N amount of time.

We're currently evaluating subscribing to NVD and other feeds as well. We would love to hear feedback from Atlassian on how they believe we (or a client admin team) should be handling this.

3 comments

I use the JQL

project = JRASERVER AND labels = advisory ORDER BY updated DESC

which produces an anonymous RSS feed of

https://jira.atlassian.com/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?jqlQuery=project+%3D+JRASERVER+AND+fixVersion+%3D+7.13.9&tempMax=1000

So the newly released issues will at least appear in my feed

Like Daniel Eads likes this

Recommend also keeping tabs on tweetdeck for "jira" + cve, or atlassian cve. You'll sometimes get details not found else where, or hear about exploits trending from existing minor vulnerabilities. For example: https://twitter.com/samwcyo/status/1177044709396627456

Hi @Boris Berenberg - Atlas Authority

I'd try using the following query:

project in (JSWSERVER, JSDSERVER, JRASERVER, JPOSERVER, CONFSERVER, BSERV, BAM, FE, CRUC, CWD, "Jira Align") and issuetype = bug AND labels = advisory ORDER BY resolutiondate DESC

That should give you a feed of all of the security advisories for our Server products as they are published.

Thanks!

Mark Adams
Sr. Product Security Engineer, Atlassian

Like # people like this

Comment

Log in or Sign up to
This widget could not be displayed.
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you