-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
4.20.0, (50)
4.21.0, 4.20.1, 4.20.2, 4.20.3, 4.22.0, 4.21.1, 4.20.4, 4.20.5, 4.20.6, 4.22.1, 4.20.7, 4.20.8, 4.22.2, 4.20.9, 4.22.3, 4.20.10, 4.22.4, 4.22.5, 4.20.11, 4.22.6, 4.20.12, 4.20.13, 5.3.0, 4.20.14, 5.4.0, 4.20.15, 5.4.1, 4.20.16, 4.20.17, 5.4.2, 5.6.0, 5.4.3, 4.20.18, 5.7.0, 4.20.19, 5.4.4, 4.20.20, 4.20.21, 5.4.5, 4.20.22, 5.4.6, 5.7.2, 5.8.1, 5.9.0, 4.20.23, 5.4.7, 5.9.1, 4.20.24, 5.4.8, 5.10.0 -
None
-
7.5
-
High
-
CVE-2022-25647
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
Patch Management
-
Jira Service Management Data Center, Jira Service Management Server
This High severity Third-Party Dependency vulnerability was introduced in version 4.20.0 of Jira Service Management Data Center and Server.
This vulnerability, with CVSS Score(s) of 7.5, and CVSS Vector(s) of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction
Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Jira Service Management Data Center and Server 4.20: Upgrade to a release greater than or equal to 4.20.25
- Jira Service Management Data Center and Server 5.4: Upgrade to a release greater than or equal to 5.4.9
- Jira Service Management Data Center and Server 5.9: Upgrade to a release greater than or equal to 5.9.2
- Jira Service Management Data Center and Server 5.10: Upgrade to a release greater than or equal to 5.10.1
See the release notes (https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html). You can download the latest version of Jira Service Management Data Center and Server from the download center (https://www.atlassian.com/software/jira/service-management/download-archives).
The National Vulnerability Database provides the following description for this vulnerability: The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-14007] Third-Party Dependency Vulnerability in Jira Service Management Data Center and Server
Also in foolder wher jars are located:
/opt/atlassian/jira/servicedesk/application-data/jira/plugins/installed-plugins
if I enter:
for i in *.jar; do if unzip -l "$i" | grep -n "gson"; then echo "$i"; fi; done
I do not see any gson jar version that is at 2.8.9 or later. (2.7 is latest)
I have upgraded Jira Service Management Data Center from 5.4.8 -> 5.4.9 to address this vulnerability.
5.4.9 should have the fix, It is published here:
https://confluence.atlassian.com/servicemanagement/issues-resolved-in-5-4-9-1252002471.html
which of course links to this page.
I have concerns about verifying the fix.. it is using 2.3.1 jar.
# find /opt/atlassian/jira/servicedesk/current/atlassian-jira -iname "gson*.jar" -print
/opt/atlassian/jira/servicedesk/current/atlassian-jira/WEB-INF/lib/gson-2.3.1.jar
#
Can you confirm whether JSM 5.2.0 is affected or not?
I have the same problem with understanding like comment: https://jira.atlassian.com/browse/JSDSERVER-14007?focusedId=3340454&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-3340454
JSM 5.2.0 is using gson-2.3.1:
$ find|grep gson-.*.jar ./atlassian-jira/WEB-INF/lib/gson-2.3.1.jar
And description above gives the idea that anything before 2.8.9 is unsecure:
The National Vulnerability Database provides the following description for this vulnerability: The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Update - info from Atlassian:
Jira application/plugin you will need to check its .jar file for used version of affected gson library:
ubuntu@ip-10-227-29-68:~/jira/plugins/installed-plugins$ for i in *.jar; do if unzip -l "$i" | grep -n "gson"; then echo "$i"; fi; done 111: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar incident-management-plugin-5.2.0-REL-0002.jar 4756: 258075 2022-08-12 04:42 META-INF/lib/gson-2.8.9.jar insight-10.0.13.jar 133: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar jira-email-processor-plugin-5.2.0-REL-0002.jar 1088: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar jira-servicedesk-5.2.0-REL-0002.jar 49: 210856 2022-08-12 13:58 META-INF/lib/gson-2.3.1.jar psmq-plugin-5.2.0-REL-0002.jar 162: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar servicedesk-automation-modules-plugin-5.2.0-REL-0002.jar 615: 231952 2022-08-12 13:58 META-INF/lib/gson-2.7.jar servicedesk-automation-plugin-5.2.0-REL-0002.jar 136: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar servicedesk-canned-responses-plugin-5.2.0-REL-0002.jar 56: 241622 2022-08-12 13:57 META-INF/lib/gson-2.8.5.jar servicedesk-internal-base-plugin-5.2.0-REL-0002.jar
For the fixed JSM release (like 5.11) this library has been upgraded to 2.10.1 version:
67: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar incident-management-plugin-5.11.0-REL-0003.jar 1737: 283367 2023-08-17 09:44 META-INF/lib/gson-2.10.1.jar insight-10.11.1.jar 107: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar jira-email-processor-plugin-5.11.0-REL-0003.jar 3294: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar jira-servicedesk-5.11.0-REL-0003.jar 33: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar psmq-plugin-5.11.0-REL-0003.jar 186: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar servicedesk-automation-modules-plugin-5.11.0-REL-0003.jar 1076: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar servicedesk-automation-plugin-5.11.0-REL-0003.jar 131: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar servicedesk-canned-responses-plugin-5.11.0-REL-0003.jar 57: 283367 2023-08-28 15:13 META-INF/lib/gson-2.10.1.jar servicedesk-internal-base-plugin-5.11.0-REL-0003.jar
We have Jira DC software on 9.9.1 version (and JSM on 5.9.1 likewise, installed via 'Versions & Licenses' after JSW upgrade)
Is it OK to update only JSM to 5.9.2 (and leave JSW on 9.9.1)?
Just to mitigate this vulnerability situation...
No version clash between these 2?
Echoing Patrick's comments is JSM 5.6.0 affected? Was this fix implemented on 5.4.9+ but not 5.6.x ?
ALl versions of Jira Service Management Data Center and Server 4.20.x including 4.20.25 uses the same jar file gson-2.3.1.jar.
Am I missing something?!
Not fully understanding the affected versions. Is JSM Server 5.6.0 affected?
Hi,
in contrast to the other recent advisories, this here is missing a hint about authenticated/unauthenticated attackers.
Can you please clarify this?
Does the vulnerability affect JSM projects, or is it sufficient to have JSM installed to be vulnerable?
Thank you!
That being said there may be TWO 'installed-plugins' folders:
One within the location of 'Jira Local Home' and the other at 'Jira Shared Home' which can be found in
Gear -> Admin -> System -> System info
I can later gson*jar versions in one of them.