[JRASERVER-74776] Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 9.6.0, 8.20.22, 9.4.6
Affects Version/s: 9.4.0, 8.20.15
Component/s: Security
Labels:

CVSS Score:
6.5
CVSS Severity:
Medium
CVE ID:
CVE-2022-22970

Jira is not impacted (no action is required) as the vulnerability cannot be exploited.

All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the ~~JRASERVER-74776~~ was published, however Jira does not use the affected methods from the Spring, hence is not impacted:

CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, we use commons-fileupload v1.3.3.
CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.

----------------------------------------------

Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

Affected versions:

version < 9.6.0

Fixed versions:

9.6.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Nalini Kumar added a comment - 13/Jan/2024 3:40 PM

Is this fixed in >=8.20.22? The fixed versions field in this Bug report says so.

Nalini Kumar added a comment - 13/Jan/2024 3:40 PM Is this fixed in >=8.20.22? The fixed versions field in this Bug report says so.

SyedAhmedKabeer added a comment - 13/Dec/2023 1:41 AM

Hello Team,

After Jira 9.4.14 update my plugin is not started.

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type

Could you please support?

SyedAhmedKabeer added a comment - 13/Dec/2023 1:41 AM Hello Team, After Jira 9.4.14 update my plugin is not started. Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type Could you please support?

Jack Probst made changes - 26/Sep/2023 2:43 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 817780 ]

Cathy S made changes - 24/May/2023 8:27 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 764985 ]

Mathias Richter made changes - 20/Apr/2023 10:13 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 752746 ]

Andrzej Kotas added a comment - 04/Apr/2023 5:58 AM

As Jira is not impacted and the vulnerability cannot be exploited we we're not planning on back-porting. Though we understand the compliance aspect of the issue and revised the decision. The LTS will be updated accordingly. **

Best regards

Andrzej Kotas

Product Manager - Jira DC

Andrzej Kotas added a comment - 04/Apr/2023 5:58 AM As Jira is not impacted and the vulnerability cannot be exploited we we're not planning on back-porting. Though we understand the compliance aspect of the issue and revised the decision. The LTS will be updated accordingly. ** Best regards Andrzej Kotas Product Manager - Jira DC

Karol Skwierawski made changes - 03/Apr/2023 2:24 PM

Assignee

New: Karol Skwierawski [ 4e432536cf93 ]

Karol Skwierawski made changes - 03/Apr/2023 2:23 PM

Fix Version/s		New: 9.4.6 [ 104661 ]
Fix Version/s		New: 8.20.22 [ 104907 ]

Leonardo Souto made changes - 31/Mar/2023 2:36 PM

Description

Original: Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

*Affected versions:*
* version < 9.6.0

*Fixed versions:*
* 9.6.0

New: *Jira is not impacted* (no action is required) as the vulnerability {+}*cannot be exploited*{+}.

All Jira versions below *9.6* uses an affected version of Spring Framework, reason why the ~~JRASERVER-74776~~ was published, however Jira {+}*does not use the affected methods from the Spring*{+}, hence {+}*is not impacted*{+}:
* *CVE-2022-22970* Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, {*}we use commons-fileupload v1.3.3{*}.
* *CVE-2022-22971* Spring Framework using STOMP over WebSockets Denial of Service: *Jira has no usages of WebSockets*

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.

----------------------------------------------

Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

*Affected versions:*
* version < 9.6.0

*Fixed versions:*
* 9.6.0

James Kawalek added a comment - 30/Mar/2023 8:07 PM

If this will not be backported to the 9.4.X LTS, will a new LTS branch be announced for something > 9.6 ?

James Kawalek added a comment - 30/Mar/2023 8:07 PM If this will not be backported to the 9.4.X LTS, will a new LTS branch be announced for something > 9.6 ?

Assignee:: Karol Skwierawski

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 24 Start watching this issue

Created:: 03/Feb/2023 5:50 AM

Updated:: 13/Jan/2024 3:40 PM

Resolved:: 28/Feb/2023 1:35 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Nalini Kumar added a comment - 13/Jan/2024 3:40 PM

Expand comment: Nalini Kumar added a comment - 13/Jan/2024 3:40 PM

Collapse comment: SyedAhmedKabeer added a comment - 13/Dec/2023 1:41 AM

Expand comment: SyedAhmedKabeer added a comment - 13/Dec/2023 1:41 AM

Collapse comment: Andrzej Kotas added a comment - 04/Apr/2023 5:58 AM

Expand comment: Andrzej Kotas added a comment - 04/Apr/2023 5:58 AM

Collapse comment: James Kawalek added a comment - 30/Mar/2023 8:07 PM

Expand comment: James Kawalek added a comment - 30/Mar/2023 8:07 PM

People

Dates