-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
9.4.0, 8.20.15
-
6.5
-
Medium
-
CVE-2022-22970
Jira is not impacted (no action is required) as the vulnerability cannot be exploited.
All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira does not use the affected methods from the Spring, hence is not impacted:
- CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, we use commons-fileupload v1.3.3.
- CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets
No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.
----------------------------------------------
Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.
Affected versions:
- version < 9.6.0
Fixed versions:
- 9.6.0
[JRASERVER-74776] Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework
Hello Team,
After Jira 9.4.14 update my plugin is not started.
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type
Could you please support?
As Jira is not impacted and the vulnerability cannot be exploited we we're not planning on back-porting. Though we understand the compliance aspect of the issue and revised the decision. The LTS will be updated accordingly. **
Best regards
Andrzej Kotas
Product Manager - Jira DC
If this will not be backported to the 9.4.X LTS, will a new LTS branch be announced for something > 9.6 ?
Our agency plans to block our instance on 5/7/2023 unless remediated or a suitable workaround is in place.
The already weak value proposition of LTS (same remediation timeframe for criticals as mediums) is further weakened if a back-port is not produced.
You're right Kevin if they are not implementing a fix, the least they can do is provide some mitigation.
We cannot all of a sudden be expected to upgrade to the latest and greatest, what is the point of LTS versions .
Is Atlassian's official stance to not follow their own bugfix policy, let alone for LTS versions? Can you share (privately?) your deliberation datapoints why two medium CVEs in Atlassian JiraDC will not be fixed in the current and previous LTS versions? Do you have any mitigating information that lowers the residual risk in these two CVEs?
Hi everyone,
This issue has been reviewed by the Jira Data Center Development team and patched in 9.6 release. At this moment we’re not considering back-porting to 8.20 or 9.4.
We realize our decision may be disappointing, and we will continue to monitor this issue for further updates. Please continue to share your thoughts in the comments.
Best regards
Andrzej Kotas
Product Manager - Jira DC
Technically, per Atlassian's [Security Bug Fix Policy|https://www.atlassian.com/trust/security/bug-fix-policy], this will be back ported within 90 days of discovery to all LTS versions. That would mean that Atlassian should produce a fix by May 3, 2023. My limited observation says that Atlassian releases fixes usually the 2nd or 3rd week of each month, so my hunch is that it will be fixed mid-April.
Is this fixed in >=8.20.22? The fixed versions field in this Bug report says so.