Vulnerable version of xmlsec used - CVE-2021-40690

Affected versions of Atlassian Jira Server and Data Center used versions of xmlsec that were vulnerable to CVE-2021-40690.

Affected versions:

• version < 8.22.2

 Workaround:

• version < 8.22.2 LTS versions 8.13 and versions up to 8.20.14 should also apply this workaround. This is permanently fixed in 8.20.15
  1. Delete xmsec library

  While it should not have any side effect on Jira itself, it may cause problems with 3rd party libraries or plugins.

  Workaround steps:
  1. Navigate to Jira installation directory
  2. Navigate to subdirectory atlassian-jira/WEB-INF/lib
  3. Localize file xmlsec-1.5.6.jar
  4. Remove file xmlsec-1.5.6.jar
  5. Restart node
  Follow these steps for each node in Jira cluster.

  2. How to know if plugin is using xmlsec dependency.

  Nature of plugins allow them to use any library they want. Described method of finding out is not 100% perfect as there are multiple tools and ways of including library, but it should cover most common cases.

  1. Unpack plugin jar/obr
  2. Look for file xmlsec-1.5.X.jar or xmlsec.jar (where X is any number) in unpacked directory and subdirectories. If found, plugin is using vulnerable library
  3. Look for file META-INF/MANIFEST.MF in unpacked directory
  4. Open it and search for string org.apache.xml.security. If found, plugin is using vulnerable library
  5. Look for file pom.xml in unpacked directory and subdirectories. If found, open file and look for element <dependency> which contains elements <artifactId>xmlsec</artifactId>, <artifactId>xmlsec</artifactId> and <version>X.Y.Z</version>, where X.Y.Z is any version described as vulnerable by CVE-2021-40690. If found, plugin is using vulnerable library.