[JSDSERVER-15248] Denial of Service (DoS) com.nimbusds:nimbus-jose-jwt dependency in Jira Service Management Data Center and Server

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High
Fix Version/s: 5.12.6, 5.4.19
Affects Version/s: 5.4.0, 5.11.0, 5.12.0
Component/s: None
Labels:
None

CVSS Score:
7.5
CVSS Severity:
High
CVE ID:
CVE-2023-52428
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
N/A
Vulnerability Classes:

DoS (Denial of Service)
Affected Product(s):

Jira Service Management Data Center, Jira Service Management Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in 5.4, 5.11, and 5.12 of Jira Service Management Data Center and Server.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Affected versions	Fixed versions
from 5.12.0 LTS to 5.12.5 LTS	5.12.6 LTS recommended
from 5.11.0 to 5.11.3	5.12.6 LTS recommended
from 5.10.0 to 5.10.2	5.12.6 LTS recommended
from 5.9.0 to 5.9.2	5.12.6 LTS recommended
from 5.8.0 to 5.8.2	5.12.6 LTS recommended
from 5.7.0 to 5.7.2	5.12.6 LTS recommended
from 5.6.0 to 5.6.2	5.12.6 LTS recommended
from 5.5.0 to 5.5.1	5.12.6 LTS recommended
from 5.4.0 LTS to 5.4.18 LTS	5.12.6 LTS recommended or 5.4.19 LTS
from 5.3.0 to 5.3.1	5.12.6 LTS recommended or 5.4.19 LTS
from 5.2.0 to 5.2.1	5.12.6 LTS recommended or 5.4.19 LTS
from 5.1.0 to 5.1.1	5.12.6 LTS recommended or 5.4.19 LTS
5.0	5.12.6 LTS recommended or 5.4.19 LTS
from 4.22 to 4.22.6	5.12.6 LTS recommended or 5.4.19 LTS
Any earlier versions	5.12.6 LTS recommended or 5.4.19 LTS

See the release notes: https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html You can download the latest version of Jira Service Management Data Center and Server from the download center (https://www.atlassian.com/software/jira/service-management/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Christian Bär added a comment - 17/Apr/2024 7:55 AM

We have Jira Software 9.4.18 (therefore actually no need to upgrade) installed as the base package and Jira Service Management 5.4.18 on top of that via Applications.
Question is, if this vulnerability is only applicable if JSM is installed as the base package or also if installed via Applications?

Best regards,

Christian

Christian Bär added a comment - 17/Apr/2024 7:55 AM We have Jira Software 9.4.18 (therefore actually no need to upgrade) installed as the base package and Jira Service Management 5.4.18 on top of that via Applications. Question is, if this vulnerability is only applicable if JSM is installed as the base package or also if installed via Applications? Best regards, Christian

Ines B. added a comment - 17/Apr/2024 6:53 AM

What about 5.13.x? is not mentioned in the affected version but also not in the fixed versions. And 5.12.7?

Ines B. added a comment - 17/Apr/2024 6:53 AM What about 5.13.x? is not mentioned in the affected version but also not in the fixed versions. And 5.12.7?

Thiago Masutti added a comment - 16/Apr/2024 8:34 PM

For those relying on 5.4 LTS, the fix was delivered on 5.4.19 bugfix version.
Upgrading to version 5.4.19 or higher (such as 5.4.20) is advised.

Thiago Masutti added a comment - 16/Apr/2024 8:34 PM For those relying on 5.4 LTS, the fix was delivered on 5.4.19 bugfix version. Upgrading to version 5.4.19 or higher (such as 5.4.20) is advised.

Klara Bras added a comment - 16/Apr/2024 6:17 PM - edited

I can see that on Security bulletin main page is version 5.4.18 listed as affected by this vulnerability, but on this page it looks like it is safe. Could you please confirm that JSM 5.4.18 is alright?

Klara Bras added a comment - 16/Apr/2024 6:17 PM - edited I can see that on Security bulletin main page is version 5.4.18 listed as affected by this vulnerability, but on this page it looks like it is safe. Could you please confirm that JSM 5.4.18 is alright?

Zeerak Khurshid added a comment - 16/Apr/2024 5:12 PM

What about version 5.4.20? Are we good to move to this new version?

Zeerak Khurshid added a comment - 16/Apr/2024 5:12 PM What about version 5.4.20? Are we good to move to this new version?

Jira Service Management Data Center

Details

Description

Attachments

Forms

Activity

Collapse comment: Christian Bär added a comment - 17/Apr/2024 7:55 AM

Expand comment: Christian Bär added a comment - 17/Apr/2024 7:55 AM

Collapse comment: Ines B. added a comment - 17/Apr/2024 6:53 AM

Expand comment: Ines B. added a comment - 17/Apr/2024 6:53 AM

Collapse comment: Thiago Masutti added a comment - 16/Apr/2024 8:34 PM

Expand comment: Thiago Masutti added a comment - 16/Apr/2024 8:34 PM

Collapse comment: Klara Bras added a comment - 16/Apr/2024 6:17 PM, Edited by Klara Bras - 16/Apr/2024 6:18 PM

Expand comment: Klara Bras added a comment - 16/Apr/2024 6:17 PM, Edited by Klara Bras - 16/Apr/2024 6:18 PM

Collapse comment: Zeerak Khurshid added a comment - 16/Apr/2024 5:12 PM

Expand comment: Zeerak Khurshid added a comment - 16/Apr/2024 5:12 PM

People

Dates

Backbone Issue Sync