-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
3
-
Problem Definition
For almost every vulnerability Issue there is often the problem that it has been closed because it has been fixed, but the fix version is a release version beyond the LTS version. Because the Issue is closed no one knows if there will be a LTS fix coming or not. And if not, why? Or if, when it will be shipped.
Could you make this more transparent? A lot of people are starting otherwise asking in the comment for a LTS fix, without any response. The handling for LTS fixes of vulnerabilities is very diffuse. Sometimes there is no statement for a LTS fix at all, so you hope when upgrading the minor version of a LTS will solve it, but you never know.
This is not helpful to keep/build the trust in the application.
Suggested Solution
You could extend your workflow in order to illustrate there is still bugfixing going on for a LTS, by another status, for example...
Workaround
None
- Mentioned in
[JRASERVER-73182] documentation of Vulnerability fixes for LTS versions
Agreed. We end up pestering our TAM for the information, which is not an efficient use of their time or ours
Agree with Kevin.
Very frustrating and hard to explain to our security team.
I wholeheartedly agree with this suggestion. More transparency and clarity within Atlassian's issue-management framework on ALL vulnerabilities with respect to LTS, please. We had to write a script to consolidate and report on ALL vulnerabilities associated with each product in the Atlassian Suite so that we get vulnerability data AHEAD of the vulnerability scanning engines (Nessus, Qualys, etc). Atlassian does not provide rationale on what criteria is used to publish a small limited set of advisories on their security advisory page (assume they meet some CVSS score > x ?) rather than publishing ALL advisories and workarounds. Nothing like having DHS letting me know about a vulnerability from scans in Atlassian products before Atlassian informs us (if at all). Atlassian has been firm with us that providing advisories beyond what is on their Security Advisory page is not their responsibility.
LTS versions of Atlassian products should get preferred treatment in clarity, timeline and response (ETA for fix, mitigations, explanations, applicability) within their own issue-management framework. If a vulnerability is found in an upstream version, and the LTS is affected, Atlassian should provide clear and timely response for the LTS version(s) with applicability, timeline to fix, and any possible workarounds commensurate with CVSS score.
Atlassian is the only major COTS vendor that does not:
- push security advisories to customer (you must pull via inadequate and clumsy page subscription)
- push all security advisories to customer (or permit customization of a push subscription)
- provide clarity on applicability of vulnerabilities. Sure, the CVE may state the CPE data clearly, but vulnerability issues tracked in Atlassian Jira are rarely clear, and leave our heads scratching in the ambiguous non-response.
applies also for Confluence, of course...