Details
-
Bug
-
Resolution: Unresolved
-
Highest
-
9.0.0, 8.20.11, 9.2.0, 8.22.6
-
8.2
-
140
-
Severity 3 - Minor
-
86
-
Description
BUG RE-OPENED
Jira Service Management 5.4.3 ( which was supposed to be fixed at 9.4.3 / 5.4.3 ) is still generating files with common text library of 1.6 version in the /plugins/.osgi-plugins folder. Even after deleting these files, they keep generating them back again in the next restart. Due to this, Security Scans are still detecting vulnerability for CVE-2022-42889.
find /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/ -iname commons-text-1.6.jar -exec ls -l {} \; rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle187/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle197/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle204/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle205/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle206/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
It has been identified by our Developers at https://asecurityteam.atlassian.net/browse/VULN-1020573 that there are still 5 JAR files from Jira Service Management that needs to be fixed that is generating these common text library of 1.6 version above.
JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar JIRA_HOME/plugins/installed-plugins/jira-servicedesk-application-5.4.3.jar JIRA_HOME/plugins/installed-plugins/servicedesk-variable-substitution-plugin-5.4.3-REL-0001.jar JIRA_HOME/plugins/installed-plugins/servicedesk-search-plugin-5.4.3-REL-0001.jar JIRA_HOME/plugins/installed-plugins/servicedesk-notifications-plugin-5.4.3-REL-0001.jar JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar
--------------------------------------------------------------------------------
DISCLAIMER
Jira IS NOT VULNERABLE to CVE-2022-42889.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Jira does not use the vulnerable module org.apache.commons.text.StringSubstitutor
Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889
This is reproducible on Data Center: yes
Steps to Reproduce
Check org.apache.commons -> commons-text version on pom.xml
Expected Results
apache-common-text 1.10.0+ is expected
Actual Results
apache-common-text 1.9 (or earlier) is used
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is duplicated by
-
JRASERVER-74505 Update common-text library to version 1.10.0
- Closed
- is related to
-
BSERV-13534 Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)
- Closed
-
CONFSERVER-81048 Upgrade Apache Commons-text for CVE-2022-42889
- Closed
-
CWD-5892 Upgrade Apache Commons-text for CVE-2022-42889
- Closed
-
VULN-960981 Loading...
- relates to
-
JRASERVER-74505 Update common-text library to version 1.10.0
- Closed
- is cloned by
-
RAID-3205 Loading...
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...