[JSDSERVER-14906] RCE (Remote Code Execution) in Jira Service Management Data Center and Server - CVE-2022-1471 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.12.0, 5.11.2, 5.4.14
Affects Version/s: 5.0.0, (22)
5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.4.2, 5.6.0, 5.4.3, 5.7.0, 5.4.4, 5.8.0, 5.4.5, 5.4.6, 5.9.0, 5.4.7, 5.4.8, 5.10.0, 5.4.9, 5.11.0, 5.4.10, 5.11.1, 5.4.11, 5.4.12
Component/s: None
Labels:
None

CVSS Score:
9.8
CVSS Severity:
Critical
CVE ID:
CVE-2022-1471
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Classes:

RCE (Remote Code Execution)
Affected Product(s):

Jira Service Management Data Center, Jira Service Management Server
Advisory URL:
https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009

Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Affected Versions

Product	Affected Versions
Jira Service Management Data Center and Server	5.4.0 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.4.10 5.4.11 5.4.12 5.5.x 5.6.x 5.7.x 5.8.x 5.9.x 5.10.x 5.11.0 5.11.1

Fixed Versions

Product	Action
Automation for Jira (A4J) Marketplace App	Patch to the following fixed versions or later 9.0.2 8.2.4 Mitigation(s) Upgrade via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info.
Jira Service Management Data Center and Server	Patch to the following fixed versions or later 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Form Name

SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

Ok, how about JSM 5.1.1 and Jira/JiraCore 9.1.1? Have been tested?

SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM Ok, how about JSM 5.1.1 and Jira/JiraCore 9.1.1? Have been tested?

Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

The Confluence page of CVE-2022-1471 states that the vulnerability can be mitigated for Jira Core, Jira Software and Jira Service Management by updating the Automation for Jira app to a fixed version. In this ticket belonging to Jira Service Management the mitigation is not listed. This raises 2 questions for me:

1. Is there a mitigation for Jira Service Management or not?
2. Can you confirm that the vulnerability is in the Automation app and NOT in the Jira applications themselves?

Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM The Confluence page of CVE-2022-1471 states that the vulnerability can be mitigated for Jira Core, Jira Software and Jira Service Management by updating the Automation for Jira app to a fixed version. In this ticket belonging to Jira Service Management the mitigation is not listed. This raises 2 questions for me: 1. Is there a mitigation for Jira Service Management or not? 2. Can you confirm that the vulnerability is in the Automation app and NOT in the Jira applications themselves?

Noni Khutane added a comment - 06/Dec/2023 7:08 AM

Does this mean there is no mitigation for JSM?

This says otherwise: https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

Noni Khutane added a comment - 06/Dec/2023 7:08 AM Does this mean there is no mitigation for JSM? This says otherwise: https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

Assignee:: Unassigned

Reporter:: Arshita Sandhiparthi

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 01/Dec/2023 7:36 PM

Updated:: 11/Dec/2023 1:47 PM

Resolved:: 06/Dec/2023 5:26 AM

Details

Description

Summary of Vulnerability

Affected Versions

Fixed Versions

Attachments

Issue Links

Forms

Activity

[JSDSERVER-14906] RCE (Remote Code Execution) in Jira Service Management Data Center and Server - CVE-2022-1471

Collapse comment: SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

Expand comment: SEBtheSaviour added a comment - 11/Dec/2023 1:47 PM

Collapse comment: Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

Expand comment: Nadine Weidlich added a comment - 06/Dec/2023 7:12 AM

Collapse comment: Noni Khutane added a comment - 06/Dec/2023 7:08 AM

Expand comment: Noni Khutane added a comment - 06/Dec/2023 7:08 AM

People

Dates

Backbone Issue Sync