Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring

Chihara
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 30, 2022

Today, I find that "spring2shell" volnerabilities in https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ .

Does anyone know that this volnerabilities affect Atlassian products such like a Jira, Confluence?

 

Thank you,

5 answers

3 accepted

Suggest an answer

Log in or Sign up to answer
1 vote
Answer accepted
Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 3, 2022

Update:

Please see the latest FAQs posted over the weekend: https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2022-22965

As always, you can monitor security vulnerabilities at the following link https://www.atlassian.com/trust/security/advisories

You can also report a vulnerability using this article https://www.atlassian.com/trust/security/report-a-vulnerability so Atlassian will provide an offical answer for that question.

We will continue to monitor the situation and provide a response soon.

 

Jodie

0 votes
Answer accepted
Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 31, 2022

Please refer to our FAQ page, we should have a formal announcement soon: 

https://confluence.atlassian.com/kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html

0 votes
Answer accepted
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 30, 2022

I would refer you to Atlassian Trust Center

and within they present security advisories advisories 

Chihara
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 30, 2022

Jack,

Thank you.

But there are no updates about this "Spring2shell".

Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 30, 2022

Understand. But that is where the latest info is. You could raise a request with Atlassian Support.

Like Steve Baroti likes this
Hamish Moffatt March 31, 2022

But only updated on Wednesdays?!

0 votes
Hamish Moffatt April 3, 2022

Thank you for the advisory page.

The page says that some of the server products DO use the impacted Spring version but are not vulnerable. I think it would be helpful if you could explain why they are not vulnerable. Is it because they don't use an affected JDK version or because they don't use Tomcat or something else?

0 votes
Hamish Moffatt March 31, 2022

I see Spring framework messages in the Fisheye startup logs, though it only supports JDK 8 so perhaps not an issue - apparently Spring is only vulnerable if used with Tomcat and JDK 9+.

TAGS
AUG Leaders

Atlassian Community Events