[JSWSERVER-24756] RCE (Remote Code Execution) in - CVE-2022-1471 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Highest (View bug fix roadmap)
Fix Version/s: 9.12.0, 9.11.2, 9.4.14
Affects Version/s: 9.4.0, (22)
9.5.0, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.4.3, 9.7.0, 9.4.4, 9.8.0, 9.4.5, 9.9.0, 9.4.6, 9.4.7, 9.10.0, 9.4.8, 9.11.0, 9.4.9, 9.4.10, 9.11.1, 9.4.11, 9.10.2, 9.4.12
Component/s: None
Labels:

CVSS Score:
9.8
CVSS Severity:
Critical
CVE ID:
CVE-2022-1471
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Classes:

RCE (Remote Code Execution)
Affected Product(s):

Jira Core Data Center, Jira Core Server, Jira Software Data Center, Jira Software Server
Advisory URL:
https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009

Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Affected Versions

Product	Affected Versions
Jira Core Data Center and Server Jira Software Data Center and Server	9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1
Automation for Jira (A4J) Marketplace App	9.0.1 9.0.0 <= 8.2.2

Fixed Versions

Product	Fixed Versions
Jira Software Data Center and Server Jira Core Data Center and Server	Patch to the following fixed versions or later 9.11.2 9.12.0 9.4.14 Mitigation(s): If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+)
Automation for Jira (A4J) Marketplace App	Patch to the following fixed versions or later 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info.

For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.

For additional details, please see the full advisory.

Support

Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Aleksandar Josic added a comment - 11/Dec/2023 11:12 AM

Hi Atlassian Support,

As I previously reported RNs for LTS v9.4 is empty of what has been fixed! Se for example RN for v9.4.14: https://confluence.atlassian.com/jirasoftware/issues-resolved-in-9-4-14-1319576657.html

Aleksandar Josic added a comment - 11/Dec/2023 11:12 AM Hi Atlassian Support, As I previously reported RNs for LTS v9.4 is empty of what has been fixed! Se for example RN for v9.4.14: https://confluence.atlassian.com/jirasoftware/issues-resolved-in-9-4-14-1319576657.html

Roberts Jacmenkins added a comment - 08/Dec/2023 10:28 AM

Hello Atlassian Support,

I want to clarify something for this security vulnerability. To exploit this vulnerability user has to have access to Jira or this issue can be exploited without having access to Jira (Without Jira User)

Roberts Jacmenkins added a comment - 08/Dec/2023 10:28 AM Hello Atlassian Support, I want to clarify something for this security vulnerability. To exploit this vulnerability user has to have access to Jira or this issue can be exploited without having access to Jira (Without Jira User)

Niranjan added a comment - 08/Dec/2023 6:19 AM

Dear Atlassian Support,

This mitigation steps or the workaround is slightly ambiguous.

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

Could you kindly confirm if the issue is related to A4J only or Jira software as well? If disabling/upgrading the plugin can help to mitigate the issue completely, why would we have Jira software listed as an impacted product? Would that not make sense to mention only A4J as the affected product ?

Niranjan added a comment - 08/Dec/2023 6:19 AM Dear Atlassian Support, This mitigation steps or the workaround is slightly ambiguous. If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). Could you kindly confirm if the issue is related to A4J only or Jira software as well? If disabling/upgrading the plugin can help to mitigate the issue completely, why would we have Jira software listed as an impacted product? Would that not make sense to mention only A4J as the affected product ?

Hua Soon SIM [Akeles] added a comment - 08/Dec/2023 4:09 AM

Hi Simone Zoli,

I checked and found out at https://confluence.atlassian.com/kb/faq-for-cve-2022-1471-1295810798.html

We are on the supported 8.20 LTS version of Jira, are we impacted?

8.20.X LTS versions of Jira are not affected since A4J wasn’t bundled until version 9+.
That said, if you separately installed A4J, there is a potential you are using a vulnerable version.

Hope it helps

Hua Soon SIM [Akeles] added a comment - 08/Dec/2023 4:09 AM Hi Simone Zoli, I checked and found out at https://confluence.atlassian.com/kb/faq-for-cve-2022-1471-1295810798.html We are on the supported 8.20 LTS version of Jira, are we impacted? 8.20.X LTS versions of Jira are not affected since A4J wasn’t bundled until version 9+. That said, if you separately installed A4J, there is a potential you are using a vulnerable version. Hope it helps

anya.bilmes added a comment - 07/Dec/2023 8:05 PM

Hello support,

What could be causing the Automation for Jira plugin stopping working after patching to the Jira 9.4.14 version?

anya.bilmes added a comment - 07/Dec/2023 8:05 PM Hello support, What could be causing the Automation for Jira plugin stopping working after patching to the Jira 9.4.14 version?

Zach Foust added a comment - 06/Dec/2023 4:52 PM

I would be really nice to get definitive confirmation that version 8.x.x aren't impacted.

Zach Foust added a comment - 06/Dec/2023 4:52 PM I would be really nice to get definitive confirmation that version 8.x.x aren't impacted.

Simone Zoli added a comment - 06/Dec/2023 9:32 AM

Hello,

can you confirm that 8.x.x instances are not affected by the CVE?

Simone Zoli added a comment - 06/Dec/2023 9:32 AM Hello, can you confirm that 8.x.x instances are not affected by the CVE?

Aleksandar Josic added a comment - 06/Dec/2023 8:48 AM

Hello support,

Please fix RNs for LTS 9.4.x as what is fixed in each patch is missing from today, December 6th, 2023.

For example what issues are fined in LTS v9.4.14 is completely missing

Aleksandar Josic added a comment - 06/Dec/2023 8:48 AM Hello support, Please fix RNs for LTS 9.4.x as what is fixed in each patch is missing from today, December 6th, 2023. For example what issues are fined in LTS v9.4.14 is completely missing

Marek Pytel added a comment - 06/Dec/2023 7:47 AM

Dear Atlassian Support,
If you have A4J installed but Disabled (for now still on SERVER license, so not able to use it, still assessing if useful for our case when move on to DATACENTER license) - are you still affected by this CVE?

Marek Pytel added a comment - 06/Dec/2023 7:47 AM Dear Atlassian Support, If you have A4J installed but Disabled (for now still on SERVER license, so not able to use it, still assessing if useful for our case when move on to DATACENTER license) - are you still affected by this CVE?

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 29 Start watching this issue

Created:: 08/Oct/2023 8:44 AM

Updated:: 14/Dec/2023 12:57 PM

Resolved:: 06/Dec/2023 5:26 AM

Jira Software Data Center

Details

Description

Summary of Vulnerability

Affected Versions

Fixed Versions

Support

Attachments

Issue Links

Forms

Activity

[JSWSERVER-24756] RCE (Remote Code Execution) in - CVE-2022-1471

Collapse comment: Aleksandar Josic added a comment - 11/Dec/2023 11:12 AM

Expand comment: Aleksandar Josic added a comment - 11/Dec/2023 11:12 AM

Collapse comment: Roberts Jacmenkins added a comment - 08/Dec/2023 10:28 AM

Expand comment: Roberts Jacmenkins added a comment - 08/Dec/2023 10:28 AM

Collapse comment: Niranjan added a comment - 08/Dec/2023 6:19 AM

Expand comment: Niranjan added a comment - 08/Dec/2023 6:19 AM

Collapse comment: Hua Soon SIM [Akeles] added a comment - 08/Dec/2023 4:09 AM

Expand comment: Hua Soon SIM [Akeles] added a comment - 08/Dec/2023 4:09 AM

Collapse comment: anya.bilmes added a comment - 07/Dec/2023 8:05 PM

Expand comment: anya.bilmes added a comment - 07/Dec/2023 8:05 PM

Collapse comment: Zach Foust added a comment - 06/Dec/2023 4:52 PM

Expand comment: Zach Foust added a comment - 06/Dec/2023 4:52 PM

Collapse comment: Simone Zoli added a comment - 06/Dec/2023 9:32 AM

Expand comment: Simone Zoli added a comment - 06/Dec/2023 9:32 AM

Collapse comment: Aleksandar Josic added a comment - 06/Dec/2023 8:48 AM

Expand comment: Aleksandar Josic added a comment - 06/Dec/2023 8:48 AM

Collapse comment: Marek Pytel added a comment - 06/Dec/2023 7:47 AM

Expand comment: Marek Pytel added a comment - 06/Dec/2023 7:47 AM

People

Dates