Recently we have identified that on top of the libraries mentioned in  JRASERVER-73580, there was another library(atlassian-authentication-plugin) that has a transitive dependency of xmlsec that could be related to the vulnerability described in CVE-2021-40690.
Note that based on our assessment, vulnerability is more theoretical and no known exploits exist.

The affected versions of Jira that are shipped with the impacted atlassian-authentication-plugin are, versions prior to 8.20.13, and from version 8.21.0 before 9.0.0.

Affected versions:

• All bug-fix versions in 8.13.x series
• version < 8.20.13
• version ≥8.21.0 and version < 9.0.0

Fixed versions:

• >= 8.20.13
• >= 9.0.0

Workaround for Affected Versions

Deploy the new atlassian-authentication-plugin-4.2.12.jar or higher.

 
Detailed Steps

1. Navigate to <Jira-installation-directory>/atlassian-jira/WEB-INF/atlassian-bundled-plugins
2. Move the existing atlassian-authentication-plugin-4.x.x to a temporary directory outside of jira installation directory. (Just to have a backup in case of rolling back the change)
3. Download the atlassian-authentication-plugin-4.2.12.jar or higher from marketplace
4. Copy the downloaded atlassian-authentication-plugin-4.2.12.jar or higher to <Jira-installation-directory>/atlassian-jira/WEB-INF/atlassian-bundled-plugins
5. Stop the Jira service
6. Clear the OSGI caches by removing the below 2 folders

   <jira-local-home>/plugins/.bundled-plugins
   <jira-local-home>/plugins/.osgi-plugins

1. Start the Jira service.
        
   Please note that if you have more than one node in the data center cluster setup, kindly perform all the above steps in each Jira node.