Summary of this issue
Atlassian has recently identified four critical vulnerabilities affecting users of the products listed below. Each of these vulnerabilities has been assigned a critical CVSS score of 9.0 or higher, indicating their severity. It is of utmost importance that customers promptly take action to secure their instances against potential threats.
We recommend you thoroughly examine all Critical Security Advisories relevant to your Atlassian product(s). This review will help verify affected versions and provide essential instructions for safeguarding your systems. Your immediate attention to this matter is highly appreciated to ensure the security of your environment.
These vulnerabilities were discovered via an internal security review at Atlassian as part of ongoing continuous security assessments.
Products Impacted
Bitbucket Data Center and Server
Impacted Versions | Recommended Action |
7.17.x, 7.18.x, 7.19.x, 7.20.x, 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 7.21.14, 7.21.15, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.11.0, 8.11.1, 8.11.2, 8.12.0 | Patch to the following fixed versions or later 7.21.16 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.8.7, 8.9.4 (LTS) |
There are no mitigations available for this vulnerability. Upgrading immediately is highly recommended.
Confluence Data Center and Server
Impacted Versions | Recommended Action |
6.13.x, 6.14.x, 6.15.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x, 7.11.x, 7.12.x, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.13.13, 7.13.14, 7.13.15, 7.13.16, 7.13.17, 7.14.x, 7.15.x, 7.16.x, 7.17.x, 7.18.x, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.19.8, 7.19.9, 7.20.x, 8.0.x, 8.1.x, 8.2.x, 8.3.0 | Patch to the following fixed versions or later 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS), 8.6.2, 8.7.0 |
There are no mitigations available for this vulnerability. Upgrading immediately is highly recommended.
Atlassian Companion App for MacOS
Impacted Versions | Recommended Action |
All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability. | Patch to the following fixed version or later 2.0.0 |
If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.
Jira Service Management, Jira Software, Jira Core Data Center and Server
Product | Impacted Versions | Recommended Action |
Jira Service Management | 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.5.x, 5.6.x, 5.7.x, 5.8.x, 5.9.x, 5.10.x, 5.11.0, 5.11.1 | Patch to the following fixed versions or later 5.11.2, 5.12.0 (LTS), 5.4.13 (LTS) |
Jira Software and Jira Core | 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11, 9.4.12, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.x, 9.10.x, 9.11.0, 9.11.1 | Patch to the following fixed versions or later 9.11.2, 9.12.0 (LTS), 9.4.13 (LTS) |
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
Jira Service Management Assets Discovery
Product | Impacted Versions | Recommended Action |
Jira Service Management Cloud Assets Discovery | Insight Discovery 1.0 – 3.1.3 Assets Discovery 3.1.4 – 3.1.7 Assets Discovery 3.1.8-cloud – 3.1.11-cloud | Patch to the following fixed versions or later Assets Discovery 3.2.0-cloud |
Jira Service Management DC/Server Assets Discovery | Insight Discovery 1.0 – 3.1.7 Assets Discovery 3.1.9 – 3.1.11 Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8 | Patch to the following fixed versions or later Assets Discovery 6.2.9 |
Automation for Jira (A4J)
Impacted Versions | Recommended Action |
9.0.1, 9.0.0, <=8.2.2 | Patch to the following fixed version or later 9.0.2, 8.2.4 |
Upgrade via the Universal Plugin Manager (UPM).
How to avoid future risks?
1. Migrate to Atlassian Cloud
At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.
2. Stay Up To Date
Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date. For Oxalis customers on the Data Center versions of Atlassian products, we perform regular updates including emergency patching to address vulnerabilities.
3. Build Security At Depth
While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.
We’re Here To Help
If you require assistance in determining your vulnerability status related to these vulnerabilities, our award winning team is available to provide support. Oxalis, comprising technology consultants and product leaders operating in highly compliant sectors, prioritizes security as a fundamental aspect of our operations. Our commitment to security goes beyond just reacting to vulnerabilities; it’s an integral part of our firm’s ethos.