Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Does the vulnerability CVE-2023-51467 affect JIRA / Confluence Cloud?

fernandavalverde
fernandavalverde
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 2, 2024

REF CVE-2023-51467

Answer
Watch
Like Antoine Berry likes this
2604 views

1 answer

Suggest an answer

Log in or Sign up to answer
0 votes
Earl McCutcheon
Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 3, 2024

Hello @fernandavalverde ,

I can verify that we are not using the vulnerable framework.

The confusion came when Sonicwall posted an article falsely claiming Atlassian Jira and other products were also vulnerable.

Sonicwall looks to have taken the information from this page and concluded Jira is vulnerable with a misunderstanding in versioning.

We have contacted Prodsec, looking at the code in Jira DC, Jira Cloud, Confluence DC, and Confluence Cloud to confirm that WE ARE NOT USING THE VULNERABLE FRAMEWORK. Jira only uses a fork of Apache’s OfBiz Entity Engine module, which does not include the affected areas of code. Additionally, Confluence does not use the Entity Engine module at all.

Internally we are currently working with Crisis Comms to retract to Sonicwall blog that includes our products in the affected list but there will probably still be lingering articles out there that reference the report and incorrectly list our products in relation to this vulnerability.

Regards,
Earl

View More Comments
Reply
Like
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events