-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
9.4.0, (22)
9.5.0, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.4.3, 9.7.0, 9.4.4, 9.8.0, 9.4.5, 9.9.0, 9.4.6, 9.4.7, 9.10.0, 9.4.8, 9.11.0, 9.4.9, 9.4.10, 9.11.1, 9.4.11, 9.10.2, 9.4.12 -
None
-
9.8
-
Critical
-
CVE-2022-1471
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-
RCE (Remote Code Execution)
-
Jira Core Data Center, Jira Core Server, Jira Software Data Center, Jira Software Server
Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
| Product | Affected Versions |
|---|---|
| Jira Core Data Center and Server Jira Software Data Center and Server |
|
| Automation for Jira (A4J) Marketplace App |
|
Fixed Versions
| Product | Fixed Versions |
|---|---|
| Jira Software Data Center and Server Jira Core Data Center and Server |
Patch to the following fixed versions or later 9.11.2 9.12.0 9.4.14 Mitigation(s): If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).  See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+) |
| Automation for Jira (A4J) Marketplace App | Patch to the following fixed versions or later 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). See breaking changes in A4J 9.0+ for more info. |
For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.
For additional details, please see the full advisory.
Support
Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSWSERVER-24756] RCE (Remote Code Execution) in - CVE-2022-1471
| Comment |
[ Hello Atlassian Support,
I assume that affected A4J versions <= 8.2.2 also includes any 7.x versions, is that correct? ] |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 9.12.0 9.4.14 *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 9.12.0 9.4.14 *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] h4. Support Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at [https://support.atlassian.com/]. |
| Remote Link | New: This issue links to "Page (Confluence)" [ 846287 ] |
| Resolution | New: Fixed [ 1 ] | |
| Security | Original: Atlassian Staff [ 10750 ] | |
| Status | Original: Draft [ 12872 ] | New: Published [ 12873 ] |
| Affects Version/s | Original: 9.4.14 [ 106446 ] | |
| Affects Version/s | New: 9.4.12 [ 106142 ] |
| Affects Version/s | Original: 9.4.12 [ 106142 ] | |
| Affects Version/s | New: 9.4.14 [ 106446 ] |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 9.12.0 9.4.13 *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 9.12.0 9.4.14 *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] |
| Fix Version/s | Original: 9.4.13 [ 106313 ] | |
| Fix Version/s | New: 9.4.14 [ 106446 ] |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 or later 9.12.0 or later 9.4.13 or later *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 or later 8.2.4 8.2.3 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Core Data Center and Server Jira Software Data Center and Server| * 9.4.0 * 9.4.1 * 9.4.2 * 9.4.3 * 9.4.4 * 9.4.5 * 9.4.6 * 9.4.7 * 9.4.8 * 9.4.9 * 9.4.10 * 9.4.11 * 9.4.12 * 9.5.x * 9.6.x * 9.7.x * 9.8.x * 9.9.x * 9.10.x * 9.11.0 * 9.11.1| |Automation for Jira (A4J) Marketplace App| * 9.0.1 * 9.0.0 * <= 8.2.2| h2. Fixed Versions ||Product||Fixed Versions|| |Jira Software Data Center and Server Jira Core Data Center and Server|*Patch to the following fixed versions or later* 9.11.2 9.12.0 9.4.13 *Mitigation(s):* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). *(!)* See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.| For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives]. For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009] |
| Affects Version/s | Original: 9.10.1 [ 105527 ] | |
| Affects Version/s | New: 9.7.0 [ 104696 ] | |
| Affects Version/s | New: 9.8.0 [ 104611 ] | |
| Affects Version/s | New: 9.9.0 [ 104897 ] |