Hi,

This issue is now patched in versions 8.13.1, 8.14.0, and 8.5.10.

Hi dc2568792d03, I've identified the problem as coming from a particular plugin dependency in Jira Core; the plugin version likely needs to be upgraded. I'll sort out the plugin and keep you posted.

the JSD image includes jackson-databind 2.3.2 here:

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-remote-event-common-plugin-6.1.0.jar:META-INF/lib/jackson-databind-2.3.2.jar

org.codehaus.jackson:jackson-mapper-asl is still in the POM of https://packages.atlassian.com/maven-external/com/atlassian/jira/jira-project/8.12.1/ and thus it is used to compile every plugin using the official Plugin SDK. This is NOT a Jira Service Desk only thing.

dc2568792d03 Thanks for letting me know! I've moved the ticket into JSDSERVER so we can get it sorted.

I've just checked on our jackson-databind versions used in Jira Server itself (the core application), and those are all up-to-date:

🟦 = Doesn't appear in our scan of the latest version of Jira Server.

CVE-2020-8840: 🟦, resolved on 24 Jun 2020.
CVE-2019-20330: 🟦, resolved on 24 Jun 2020.
CVE-2019-17531: 🟦, resolved on 15 Dec 2019.
CVE-2019-17267: 🟦, resolved on 15 Dec 2019.
CVE-2019-16943: 🟦, resolved on 15 Dec 2019.
CVE-2019-16942: 🟦, resolved on 15 Dec 2019.
CVE-2019-16335: 🟦, resolved on 15 Dec 2019.
CVE-2019-14540: 🟦, resolved on 15 Dec 2019.
CVE-2018-7489: 🟦, resolved on 22 Sep 2019.
CVE-2018-14718: 🟦, resolved on 22 Sep 2019.
CVE-2018-11307: 🟦, resolved on 22 Sep 2019.
CVE-2018-5968: 🟦, resolved on 22 Sep 2019.
CVE-2017-17485: 🟦, resolved on 22 Sep 2019.
CVE-2017-15095: 🟦, resolved on 22 Sep 2019.

So the issue might be coming from Service Desk (rather than the core application). I'll check the scans for Service Desk and write back to you.

@Anton 🆎: we're scanning (and using) the Docker image atlassian/jira-servicedesk:4.12.0, which I realize is Jira Service Desk and not Jira Server, but the vulnerabilities are in jackson-databind 2.3.2, which is the version bundled with both Jira Server and JSD. I suspect much of the code may be shared between the two products, but please let me know if I should report a separate ticket specifically for JSD.

Hi dc2568792d03, may I ask what version of Jira Server you're scanning?

btw, most of the CVEs we're seeing are newer than when this issue was opened in 2017, so it's entirely possible that the newer ones may be exploitable even if the original issues were not.

issues our tool is flagging:

• CVE-2020-8840
• CVE-2019-20330
• CVE-2019-17531
• CVE-2019-17267
• CVE-2019-16943
• CVE-2019-16942
• CVE-2019-16335
• CVE-2019-14540
• CVE-2018-7489
• CVE-2018-14718
• CVE-2018-11307
• CVE-2018-5968
• CVE-2017-17485
• CVE-2017-15095

we're seeing at least 14 distinct known vulnerabilities being flagged in jackson-databind 2.3.2. as Atlassian customers, we don't have visibility into whether any of these vulns are exploitable based on how Jira/Jira Service Desk are using the library.

overall, it's quite concerning to see a deserialization library in use that has so many known vulnerabilities, given the troubling history of deserialization libraries causing security incidents. this version is over 6 years old, and none of this is acceptable for an enterprise product that is widely used in security-critical ways.

please patch your software.

more broadly, you should not be relying on upvotes from customers to get you to patch your vulnerable third party dependencies.

As a plugin developer I do not want to depend directly or indirectly on a library that comes with a potential security vulnerability. Atlassian selling me the Data Center Bug Bounty Program while at the same time ignoring known security flaws makes no sense to me. Please fix that dependency in one of the upcoming versions.

The latest released jira-project POM (see https://packages.atlassian.com/maven-external/com/atlassian/jira/jira-project/8.9.0/) still references an affected version.