[JRASERVER-74776] Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 9.6.0, 8.20.22, 9.4.6
Affects Version/s: 9.4.0, 8.20.15
Component/s: Security
Labels:

CVSS Score:
6.5
CVSS Severity:
Medium
CVE ID:
CVE-2022-22970

Jira is not impacted (no action is required) as the vulnerability cannot be exploited.

All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the ~~JRASERVER-74776~~ was published, however Jira does not use the affected methods from the Spring, hence is not impacted:

CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, we use commons-fileupload v1.3.3.
CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.

----------------------------------------------

Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

Affected versions:

version < 9.6.0

Fixed versions:

9.6.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Jack Probst made changes - 26/Sep/2023 2:43 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 817780 ]

Cathy S made changes - 24/May/2023 8:27 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 764985 ]

Mathias Richter made changes - 20/Apr/2023 10:13 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 752746 ]

Karol Skwierawski made changes - 03/Apr/2023 2:24 PM

Assignee

New: Karol Skwierawski [ 4e432536cf93 ]

Karol Skwierawski made changes - 03/Apr/2023 2:23 PM

Fix Version/s		New: 9.4.6 [ 104661 ]
Fix Version/s		New: 8.20.22 [ 104907 ]

Leonardo Souto made changes - 31/Mar/2023 2:36 PM

Description

New: *Jira is not impacted* (no action is required) as the vulnerability {+}*cannot be exploited*{+}.

All Jira versions below *9.6* uses an affected version of Spring Framework, reason why the ~~JRASERVER-74776~~ was published, however Jira {+}*does not use the affected methods from the Spring*{+}, hence {+}*is not impacted*{+}:
* *CVE-2022-22970* Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, {*}we use commons-fileupload v1.3.3{*}.
* *CVE-2022-22971* Spring Framework using STOMP over WebSockets Denial of Service: *Jira has no usages of WebSockets*

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.

----------------------------------------------

Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

*Affected versions:*
* version < 9.6.0

*Fixed versions:*
* 9.6.0

Manisha Sangwan made changes - 28/Mar/2023 11:17 AM

Description

Original: Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

*Affected versions:*
* version < 9.6.0

*Fixed versions:*
* 9.6.0

h3. --------------------------------------------------------------------------------
h3. DISCLAIMER
{panel}
(!) *Jira* {*}IS NOT VULNERABLE to [CVE-2022-42889|https://www.cve.org/CVERecord?id=CVE-2022-42889]{*}.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Jira does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
{panel}

Manisha Sangwan made changes - 28/Mar/2023 11:16 AM

Description

New: Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

*Affected versions:*
* version < 9.6.0

*Fixed versions:*
* 9.6.0

h3. --------------------------------------------------------------------------------
h3. DISCLAIMER
{panel}
(!) *Jira* {*}IS NOT VULNERABLE to [CVE-2022-42889|https://www.cve.org/CVERecord?id=CVE-2022-42889]{*}.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Jira does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
{panel}

Security Metrics Bot made changes - 05/Mar/2023 8:28 PM

CVE ID

New: CVE-2022-22970

Brian Leysath made changes - 28/Feb/2023 1:35 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Assignee:: Karol Skwierawski

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 24 Start watching this issue

Created:: 03/Feb/2023 5:50 AM

Updated:: 13/Jan/2024 3:40 PM

Resolved:: 28/Feb/2023 1:35 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates