This Confluence release includes updates to our org.yaml:snakeyaml dependency in response to CVE-2022-1471.

Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation.

The patch for CVE-2022-1471 is being released out of an abundance of caution.

This Critical severity RCE (Remote Code Execution) vulnerability known as CVE-2022-1471 was introduced in versions 9.2.17 and 10.2.7.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to potentially execute arbitrary code on the remote host, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Confluence Data Center 10.2: Upgrade to a release greater than or equal to 10.2.10
• Confluence Data Center 9.2: Upgrade to a release greater than or equal to 9.2.19

See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

The National Vulnerability Database provides the following description for this vulnerability:

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.