• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 5.12.0, 5.11.2, 5.4.14
• Affects Version/s: 5.0.0, (22)
  5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.4.2, 5.6.0, 5.4.3, 5.7.0, 5.4.4, 5.8.0, 5.4.5, 5.4.6, 5.9.0, 5.4.7, 5.4.8, 5.10.0, 5.4.9, 5.11.0, 5.4.10, 5.11.1, 5.4.11, 5.4.12
• Component/s: None
• Labels:

  None

[JSDSERVER-14906] RCE (Remote Code Execution) in Jira Service Management Data Center and Server - CVE-2022-1471

Collapse comment: SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

Ok, how about JSM 5.1.1 and Jira/JiraCore 9.1.1? Have been tested?

Expand comment: SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM Ok, how about JSM 5.1.1 and Jira/JiraCore 9.1.1? Have been tested?

Matthias M made changes - 10/Dec/2023 10:23 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 846286 ]

Collapse comment: Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

The Confluence page of CVE-2022-1471 states that the vulnerability can be mitigated for Jira Core, Jira Software and Jira Service Management by updating the Automation for Jira app to a fixed version. In this ticket belonging to Jira Service Management the mitigation is not listed. This raises 2 questions for me: 

1. Is there a mitigation for Jira Service Management or not?
2. Can you confirm that the vulnerability is in the Automation app and NOT in the Jira applications themselves?

Expand comment: Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM The Confluence page of CVE-2022-1471 states that the vulnerability can be mitigated for Jira Core, Jira Software and Jira Service Management by updating the Automation for Jira app to a fixed version. In this ticket belonging to Jira Service Management the mitigation is not listed. This raises 2 questions for me:  1. Is there a mitigation for Jira Service Management or not? 2. Can you confirm that the vulnerability is in the Automation app and NOT in the Jira applications themselves?

Collapse comment: Noni Khutane added a comment - 06/Dec/2023 7:08 AM

Noni Khutane added a comment - 06/Dec/2023 7:08 AM

Does this mean there is no mitigation for JSM?

 

This says otherwise: https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

Expand comment: Noni Khutane added a comment - 06/Dec/2023 7:08 AM

Noni Khutane added a comment - 06/Dec/2023 7:08 AM Does this mean there is no mitigation for JSM?   This says otherwise: https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

Gaurav Shet made changes - 06/Dec/2023 5:26 AM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Gaurav Shet made changes - 06/Dec/2023 1:20 AM

Description

Original: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.|

New: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required.|

Arshita Sandhiparthi made changes - 05/Dec/2023 9:49 PM

Fix Version/s	Original: 5.4.13 [ 106413 ]
Fix Version/s		New: 5.4.14 [ 106507 ]

Gaurav Shet made changes - 05/Dec/2023 9:46 AM

Affects Version/s	Original: 5.11.2 [ 106107 ]
Affects Version/s	Original: 5.10.2 [ 105914 ]
Affects Version/s	Original: 5.10.1 [ 105791 ]
Affects Version/s		New: 5.4.0 [ 102903 ]
Affects Version/s		New: 5.7.0 [ 104602 ]
Affects Version/s		New: 5.8.0 [ 104629 ]
Affects Version/s		New: 5.9.0 [ 104928 ]
Affects Version/s		New: 5.11.0 [ 105890 ]

Gaurav Shet made changes - 05/Dec/2023 9:35 AM

Description

Original: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions     ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.|

New: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.|

Tanvir Ahmed made changes - 05/Dec/2023 9:34 AM

Description

Original: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions     ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])\| | | | |

New: h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).   (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0  * 5.4.1  * 5.4.2  * 5.4.3  * 5.4.4  * 5.4.5  * 5.4.6  * 5.4.7  * 5.4.8  * 5.4.9  * 5.4.10  * 5.4.11  * 5.4.12  * 5.5.x  * 5.6.x  * 5.7.x  * 5.8.x  * 5.9.x  * 5.10.x  * 5.11.0  * 5.11.1| h2. Fixed Versions     ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4  *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.  | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.|

Load more older events