-
Public Security Vulnerability
-
Resolution: Fixed
-
High (View bug fix roadmap)
-
9.0.0, (55)
9.1.0, 9.2.0, 9.1.1, 9.3.0, 9.4.0, 9.2.1, 9.3.1, 9.5.0, 9.3.2, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.3.3, 9.4.3, 9.7.0, 9.4.4, 9.8.0, 9.7.1, 9.4.5, 9.9.0, 9.4.6, 9.8.1, 9.4.7, 9.10.0, 9.9.1, 9.4.8, 9.11.0, 9.4.9, 9.10.1, 9.12.0, 9.4.10, 9.11.1, 9.7.2, 9.8.2, 9.9.2, 9.11.2, 9.4.11, 9.10.2, 9.4.12, 9.11.3, 9.12.1, 9.4.13, 9.4.14, 9.4.15, 9.12.2, 9.13.1, 9.4.16, 9.13.0, 9.14.0, 9.12.3, 9.4.17, 9.12.4, 9.14.1, 9.12.5 -
None
-
7.5
-
High
-
CVE-2024-21634
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
DoS (Denial of Service)
-
Jira Software Data Center, Jira Software Server
This High severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, and 9.14.0 of Jira Software Data Center and Server.
This software.amazon.ion:ion-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
| Affected versions | Fixed versions |
|---|---|
| from 9.14.0 to 9.14.1 | N/A |
| from 9.13.0 to 9.13.1 | N/A |
| from 9.12.0 LTS to 9.12.5 LTS | 9.12.6 to 9.12.7 LTS recommended |
| from 9.11.0 to 9.11.3 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.10.0 to 9.10.2 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.9.0 to 9.9.2 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.8.0 to 9.8.2 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.7.0 to 9.7.2 | 9.12.6 to 9.12.7 LTS recommended |
| 9.6.0 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.5.0 to 9.5.1 | 9.12.6 to 9.12.7 LTS recommended |
| from 9.4.0 LTS to 9.4.17 LTS | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
| from 9.3.0 to 9.3.3 | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
| from 9.2.0 to 9.2.1 | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
| from 9.1.0 to 9.1.1 | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
| 9.0 | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
| Any earlier versions | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS |
See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center and Server from the download center (https://www.atlassian.com/software/jira/download-archives).
The National Vulnerability Database provides the following description for this vulnerability: Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.
[JSWSERVER-25892] DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and Server
FYI - I have removed 9.15 from the fixed versions due to a third-party app compatibility problem, this release has been removed and shouldn't be installed. Please reach out to Atlassian Support if you have any questions.
@manuher2 @Said Kouzibry
It says all previous versions are affected:
| Any earlier versions | 9.4.18 to 9.4.20 LTS recommended 9.12.7 LTS or 9.15.0 Data Center Only |
The reason you do not see anything before v9 listed specifically is that they are all out of EOL support:
https://confluence.atlassian.com/support/atlassian-support-end-of-life-policy-201851003.html
@manuher2
Based on their description, this was introduced starting from 9.0.0, which mean versions below 9.0.0 are not affected.
However you are correct to point that out as we have contradictory information, based on which we cannot take proper action.
As usual, it would be nice to know more details. Where is ion-java used? Is it the main json processor for the REST API, or is it used in a plugin that needs to also be upgraded? Is the vulnerable library exposed to non-authenticated users?
Does Atlassian also perform it's own CVSS analysis of these vulnerabilities?
767ef7dc12e2 but this is contradictory to what's described in the issue description:
If versions < 9.0.0 haven't used this dependency at all they are not affected but this is far from clear from this ticket.