Select Page

Jira Service Management – CVE-2022-44729

Feb 5, 2024 | Atlassian, Solving Problems

KithSolvingProblems

Description and Immediate Mitigation Steps

Vulnerability Information:

    • Severity: The critical vulnerability in Atlassian Confluence is classified as “High.”
    • Versions Impacted: 4.20.05.4.05.7.05.8.05.9.05.10.05.11.05.12.0
    • SSRF (Server-Side Request Forgery)
    • CVE Identifier: The specific vulnerability is tracked as CVE-2022-44729
    • CVSS Score: Atlassian assigned a  CVSS score of 7.1 to this vulnerability, highlighting its severity. This score is due to the ability for unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, high impact to availability, and requires user interaction.
    • The vulnerability affects Apache XML Graphics Batik version 1.16, where a malicious SVG (Scalable Vector Graphics) could trigger the loading of external resources by default, leading to resource consumption or potentially even information disclosure.

Affected Versions:

    • The vulnerability impacts Jira Service Management Data CenterJira Service Management Server. 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, and 5.12.0 of Jira Service Management Data Center and Server.

Recommended Actions:

    • Jira Service Management Data Center and Server customers should upgrade to the latest version.
    • If unable to upgrade to the latest version, upgrade your instance to one of the specified supported fixed versions based on your current version:
      • For Jira Service Management Data Center and Server 4.20, upgrade to a release greater than or equal to 4.20.30.
      • For Jira Service Management Data Center and Server 5.4, upgrade to a release greater than or equal to 5.4.15.
      • For Jira Service Management Data Center and Server 5.12, upgrade to a release greater than or equal to 5.12.2.

Standard Manual Upgrade Steps:

    • Notify users of outage for critical hotfixing
    • Stop services across all nodes
    • Backup existing database and shared home prior to upgrade
    • Make copies of the setenv.sh and server.xml found in the application install directories bin & conf (these hold critical settings we want to propogate again post upgrade
    • Download the hotfix from the Atlassian archives
    • Apply the upgrade, do not auto-start services
    • Copy back the setenv.sh, server.xml, and any other customized files you had to copy during the upgrade process
    • Restart services and perform smoke testing once Confluence is available

 

Conclusion:

To mitigate the high-severity SSRF vulnerability, users of Jira Service Management Data Center and Server should either upgrade to the latest version or apply the recommended fixed versions specified by Atlassian. This is crucial to protect confidentiality, availability, and prevent potential exploitation of assets in the environment.

    Here is the notice from the National Vulnerability Database

    Link to Atlassian ticket can be found here. 

    Thanks for visiting, click here to learn more about out our Atlassian Cloud Services!