Jira CVE-2022-41704 Impact and Mitigation Steps:
-
- Severity: The critical vulnerability in Atlassian Jira Software Data Center, Jira Software Server is classified as “HIGH”
- Versions Impacted: 8.20.0, 8.22.0, 8.22.1, 8.22.2, 9.0.0, 8.22.3, 9.1.0, 8.22.4, 9.2.0, 8.22.6, 9.1.1, 9.3.0, 9.4.0, 9.2.1, 9.3.1, 9.5.0, 9.3.2, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.3.3, 9.4.3, 9.7.0, 9.4.4, 9.7.1, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.7.2, 9.4.11, 9.4.12, 9.4.13, 9.4.14, 9.4.15
- Vulnerability Type: Public Security Vulnerability
- CVE Identifier: The specific vulnerability is tracked as CVE-2022-41704
- CVSS Score: Atlassian assigned a CVSS score of 7.5 to this vulnerability, highlighting its severity. This score is due to the ease with which attackers can achieve RCE in a low-complexity attack without requiring authentication.
- Affected Products: Jira Software Data Center, Jira Software Server
- This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server.
- This vulnerability allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction.
Affected Versions:
| Affected versions | Fixed versions |
|---|---|
| 9.11.0 to 9.11.3 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.10.0 to 9.10.2 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.9.0 to 9.9.2 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.8.0 to 9.8.2 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.7.0 to 9.7.2 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.6.0 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.5.0 to 9.5.1 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS |
| 9.4.0 to 9.4.15 LTS | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
| 9.3.0 to 9.3.3 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
| 9.2.0 to 9.2.1 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
| 9.1.0 to 9.1.1 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
| 9.0.0 | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
| Any earlier versions | 9.14.1 recommended or 9.14.0 or 9.12.4 LTS or 9.4.16 LTS |
Recommended Actions:
Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions noted in the table above.
Standard Manual Upgrade Steps:
-
- Notify users of outage for critical hotfixing
- Stop services across all nodes
- Backup existing database and shared home prior to upgrade
- Make copies of the setenv.sh and server.xml found in the application install directories bin & conf (these hold critical settings we want to propogate again post upgrade
- Download the hotfix from the Atlassian archives
- Apply the upgrade, do not auto-start services
- Copy back the setenv.sh, server.xml, and any other customized files you had to copy during the upgrade process
- Restart services and perform smoke testing once Jira is available
Conclusion:
The advisory regarding the critical Remote Code Execution (RCE) vulnerability, CVE-2022-41704, in Jira is of utmost importance. With a CVSS score of 7.5 , this vulnerability poses a significant threat, allowing unauthenticated attackers to potentially compromise Jira Software Data Center and Jira Software Servers.
To safeguard their systems and prevent the potential leakage of sensitive information and malicious attacks, all users are recommended to upgrade Jira Software Data Center and Server to latest versions.
Here is the notice from the National Vulnerability Database
Link to Atlassian ticket can be found here.
Thanks for visiting, click here to learn more about out our Atlassian Cloud Services!