Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring

Chihara
Chihara
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 30, 2022

Today, I find that "spring2shell" volnerabilities in https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ .

Does anyone know that this volnerabilities affect Atlassian products such like a Jira, Confluence?

 

Thank you,

Answer
Watch
Like # people like this
2879 views

5 answers

3 accepted

Suggest an answer

Log in or Sign up to answer
1 vote
Answer accepted
Jodie Vlassis
Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 3, 2022

Update:

Please see the latest FAQs posted over the weekend: https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2022-22965

As always, you can monitor security vulnerabilities at the following link https://www.atlassian.com/trust/security/advisories

You can also report a vulnerability using this article https://www.atlassian.com/trust/security/report-a-vulnerability so Atlassian will provide an offical answer for that question.

We will continue to monitor the situation and provide a response soon.

 

Jodie

Reply
0 votes
Answer accepted
Jodie Vlassis
Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 31, 2022

Please refer to our FAQ page, we should have a formal announcement soon: 

https://confluence.atlassian.com/kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html

Reply
0 votes
Answer accepted
Jack Brickey
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 30, 2022

I would refer you to Atlassian Trust Center

and within they present security advisories advisories 

View More Comments
Reply
Chihara
Chihara
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 30, 2022

Jack,

Thank you.

But there are no updates about this "Spring2shell".

Like
Jack Brickey
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 30, 2022

Understand. But that is where the latest info is. You could raise a request with Atlassian Support.

Like Steve Baroti likes this
Hamish Moffatt
Hamish Moffatt
Contributor
March 31, 2022

But only updated on Wednesdays?!

Like
0 votes
Hamish Moffatt
Hamish Moffatt
Contributor
April 3, 2022

Thank you for the advisory page.

The page says that some of the server products DO use the impacted Spring version but are not vulnerable. I think it would be helpful if you could explain why they are not vulnerable. Is it because they don't use an affected JDK version or because they don't use Tomcat or something else?

Reply
0 votes
Hamish Moffatt
Hamish Moffatt
Contributor
March 31, 2022

I see Spring framework messages in the Fisheye startup logs, though it only supports JDK 8 so perhaps not an issue - apparently Spring is only vulnerable if used with Tomcat and JDK 9+.

Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events