Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-15617

Stack-based Buffer Overflow com.google.protobuf:protobuf-java Dependency in Jira Service Management Data Center and Server

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: High High
    • 10.1.1, 5.12.14, 5.17.4
    • 5.4.0, (54)
      5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.12.0, 5.4.11, 5.13.0, 5.4.12, 5.14.0, 5.12.1, 5.4.13, 5.4.14, 5.4.15, 5.12.2, 5.13.1, 5.4.16, 5.12.3, 5.4.17, 5.12.4, 5.14.1, 10.0.0, 5.4.18, 5.12.6, 5.4.19, 5.16.0, 5.12.5, 5.4.20, 5.12.7, 5.15.2, 5.4.21, 5.12.8, 5.4.22, 5.12.9, 5.17.0, 5.16.1, 5.12.12, 5.4.23, 5.12.10, 5.12.11, 5.4.24, 5.17.1, 5.4.25, 5.4.26, 5.12.13, 5.17.2, 10.0.1, 5.4.27, 5.17.3
    • None
    • None
    • 7.5
    • High
    • CVE-2024-7254
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    • Other
    • Jira Service Management Data Center
    • High
    • Jira Service Management Data Center

      This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server.

      This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

      Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      Affected Versions Fix Versions
      from 10.0.0 to 10.0.1 10.1.1
      from 5.17.0 to 5.17.3 5.17.4
      from 5.16.0 to 5.16.1  
      5.15.2  
      from 5.14.0 to 5.14.1  
      from 5.13.0 to 5.13.1  
      from 5.12.0 to 5.12.13 LTS 5.12.14
      from 5.4.0 to 5.4.27  

      You can download the latest version of Jira Service Management Data Center and Server from the download center ([https://www.atlassian.com/software/jira/service-management/download-archives]).

      This vulnerability was reported via our Bug Bounty program.

          Form Name

            [JSDSERVER-15617] Stack-based Buffer Overflow com.google.protobuf:protobuf-java Dependency in Jira Service Management Data Center and Server

            Marcin Oles made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 994173 ]
            Marcin Oles made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 992020 ]

            Nadja Langer added a comment -

            a64d184ae8e6 1eb1d8553901 

            What about the 5.4?
            Because of a bug in an app we can't "quickly” switch to 5.12.

            Nadja Langer added a comment - a64d184ae8e6 1eb1d8553901   What about the 5.4? Because of a bug in an app we can't "quickly” switch to 5.12.

            Tim Eddelbüttel added a comment - - edited

            It looks like this was introduced in 5.4.0 why is there no back-port to 5.4.x which is still a valid LTS release?

            As 5.4.0 is listed as affected version and searched for imports from that library in the source code (atlassian-jira-servicedesk-5.4.0-source) and i only found this annotation in 2 classes:

            import com.google.protobuf.ExperimentalApi;

            The corresponding NVD article (https://nvd.nist.gov/vuln/detail/CVE-2024-7254) has the following description:

            Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

            4 JSM related libraries have a Maven dependency but don't have any imports.

            Would be great to have some more details here if there is really a risk or just "we had this dependency but we're not affected by anything"?

            Tim Eddelbüttel added a comment - - edited It looks like this was introduced in 5.4.0 why is there no back-port to 5.4.x which is still a valid LTS release? As 5.4.0 is listed as affected version and searched for imports from that library in the source code (atlassian-jira-servicedesk-5.4.0-source) and i only found this annotation in 2 classes: import com.google.protobuf.ExperimentalApi; The corresponding NVD article ( https://nvd.nist.gov/vuln/detail/CVE-2024-7254 ) has the following description: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. 4 JSM related libraries have a Maven dependency but don't have any imports. Would be great to have some more details here if there is really a risk or just "we had this dependency but we're not affected by anything"?
            Yann made changes -
            Affects Version/s New: 5.4.0 [ 102903 ]
            Affects Version/s New: 5.4.1 [ 103991 ]
            Affects Version/s New: 5.4.2 [ 104393 ]
            Affects Version/s New: 5.4.3 [ 104315 ]
            Affects Version/s New: 5.4.4 [ 104715 ]
            Affects Version/s New: 5.4.5 [ 104361 ]
            Affects Version/s New: 5.4.6 [ 104663 ]
            Affects Version/s New: 5.4.7 [ 105290 ]
            Affects Version/s New: 5.4.8 [ 105339 ]
            Affects Version/s New: 5.4.9 [ 105515 ]
            Affects Version/s New: 5.4.10 [ 105719 ]
            Affects Version/s New: 5.4.11 [ 105755 ]
            Affects Version/s New: 5.4.12 [ 106143 ]
            Affects Version/s New: 5.4.13 [ 106413 ]
            Affects Version/s New: 5.4.14 [ 106507 ]
            Affects Version/s New: 5.4.15 [ 106514 ]
            Affects Version/s New: 5.4.16 [ 106539 ]
            Affects Version/s New: 5.4.17 [ 106910 ]
            Affects Version/s New: 5.4.18 [ 107320 ]
            Affects Version/s New: 5.4.19 [ 107594 ]
            Affects Version/s New: 5.4.20 [ 107792 ]
            Affects Version/s New: 5.4.21 [ 108110 ]
            Affects Version/s New: 5.4.22 [ 107815 ]
            Affects Version/s New: 5.4.23 [ 108298 ]
            Affects Version/s New: 5.4.24 [ 108698 ]
            Affects Version/s New: 5.4.25 [ 108623 ]
            Affects Version/s New: 5.4.26 [ 108708 ]
            Affects Version/s New: 5.4.27 [ 108824 ]
            Yann made changes -
            Description Original: This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server.

            This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

            Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||Affected Versions||Fix Versions||
            |from 10.0.0 to 10.0.1|10.1.1|
            |from 5.17.0 to 5.17.3|5.17.4|
            |from 5.16.0 to 5.16.1| |
            |5.15.2| |
            |from 5.14.0 to 5.14.1| |
            |from 5.13.0 to 5.13.1| |
            |from 5.12.0 to 5.12.13 LTS|5.12.14|

            You can download the latest version of Jira Service Management Data Center and Server from the download center ([[https://www.atlassian.com/software/jira/service-management/download-archives]]).

            This vulnerability was reported via our Bug Bounty program.             		New: This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server.

            This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

            Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||Affected Versions||Fix Versions||
            |from 10.0.0 to 10.0.1|10.1.1|
            |from 5.17.0 to 5.17.3|5.17.4|
            |from 5.16.0 to 5.16.1| |
            |5.15.2| |
            |from 5.14.0 to 5.14.1| |
            |from 5.13.0 to 5.13.1| |
            |from 5.12.0 to 5.12.13 LTS|5.12.14|
            |from 5.4.0 to 5.4.27| |

            You can download the latest version of Jira Service Management Data Center and Server from the download center ([[https://www.atlassian.com/software/jira/service-management/download-archives]]).

            This vulnerability was reported via our Bug Bounty program.
            Ivan Poletan made changes -
            Comment [ Hi,

            Just wondering if 5.4 LTS version is affected. I can see it is not mentioned but double checking as it's an earlier version compared to the ones listed.

            Thank you. ]
            prodsec-jac-bot made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            David Detweiler made changes -
            Comment [ Relates to: [https://asecurityteam.atlassian.net/browse/VULN-1431700] ]
            David Detweiler made changes -
            Description Original: This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.14 of Jira Service Management Data Center and Server.

            This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

            Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||Affected Versions||Fix Versions||
            |from 10.0.0 to 10.0.1|10.1.1|
            |from 5.17.0 to 5.17.3|5.17.4|
            |from 5.16.0 to 5.16.1| |
            |5.15.2| |
            |from 5.14.0 to 5.14.1| |
            |from 5.13.0 to 5.13.1| |
            |from 5.12.0 to 5.12.13 LTS|5.12.14|

            You can download the latest version of Jira Service Management Data Center and Server from the download center ([[https://www.atlassian.com/software/jira/service-management/download-archives]]).

            This vulnerability was reported via our Bug Bounty program.             		New: This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server.

            This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

            Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||Affected Versions||Fix Versions||
            |from 10.0.0 to 10.0.1|10.1.1|
            |from 5.17.0 to 5.17.3|5.17.4|
            |from 5.16.0 to 5.16.1| |
            |5.15.2| |
            |from 5.14.0 to 5.14.1| |
            |from 5.13.0 to 5.13.1| |
            |from 5.12.0 to 5.12.13 LTS|5.12.14|

            You can download the latest version of Jira Service Management Data Center and Server from the download center ([[https://www.atlassian.com/software/jira/service-management/download-archives]]).

            This vulnerability was reported via our Bug Bounty program.

              Unassigned Unassigned
              a64d184ae8e6 Yann
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: