Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,362,954
Community Members
 
Community Events
168
Community Groups

Wanted: Single Source of Truth for Public Vulnerabilities

Edited

As an Atlassian Partner, we deal with customers who have a variety of applications, running at different versions, deployed in a variety of environments. The combination of factors means that they are exposed to a different risks than how a security issue is evaluated within Atlassian. To better serve our clients, we work to evaluate all new security issues we come across in relation to their specific environmental factors. Earlier this week we were made aware of https://careers.tenable.com/blogs/tenable-blog-3d217a4e-277d-42b7-b180-a04ae4d88426/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in-jira by a client of ours who we're in the middle of helping to migrate to AWS. This was an embarrassing moment for us that we were not yet aware of this issue.

To address this, we wanted to find a single source of truth for public vulnerabilities that we could subscribe to. Our initial idea was to set up a Filter Subscription in JAC, however the current model for handling security issues doesn't have a good way for us to JQL for issues made recently public. For example, we cannot use JQL such as

Security was in "Atlassian Staff" 

The best thing we have today is

comment ~ "CVSS" and project not in ("Sourcetree For Mac", "Sourcetree for Windows", atlassian-seraph, "Migration Platform", "JIRA Software Cloud", "Confluence Cloud","Jira Service Desk Cloud","Jira Cloud (including JIRA Core)", "Portfolio for JIRA Cloud",Identity,atlassian-http,"Atlassian Cloud",HipChat,"Atlassian Access") and type = bug and updated > -1d

Which works, but also pulls in more than it needs to.

We would love to see some kind of change implemented where we could rely on JAC to be able to tell us if something new has come out in the last few N amount of time.

We're currently evaluating subscribing to NVD and other feeds as well. We would love to hear feedback from Atlassian on how they believe we (or a client admin team) should be handling this.

3 comments

I use the JQL

project = JRASERVER AND labels = advisory ORDER BY updated DESC

which produces an anonymous RSS feed of

https://jira.atlassian.com/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?jqlQuery=project+%3D+JRASERVER+AND+fixVersion+%3D+7.13.9&tempMax=1000

So the newly released issues will at least appear in my feed

Like Daniel Eads likes this
David Yu Rising Star Sep 27, 2019

Recommend also keeping tabs on tweetdeck for "jira" + cve, or atlassian cve. You'll sometimes get details not found else where, or hear about exploits trending from existing minor vulnerabilities. For example: https://twitter.com/samwcyo/status/1177044709396627456

Hi @Boris Berenberg - Atlas Authority

I'd try using the following query:

project in (JSWSERVER, JSDSERVER, JRASERVER, JPOSERVER, CONFSERVER, BSERV, BAM, FE, CRUC, CWD, "Jira Align") and issuetype = bug AND labels = advisory ORDER BY resolutiondate DESC

That should give you a feed of all of the security advisories for our Server products as they are published.

Thanks!

Mark Adams
Sr. Product Security Engineer, Atlassian

Like # people like this

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events