Dear customer,
On Monday evening of the 1th November, Atlassian has published security advisory pointing to a security vulnerability in several products.
What you need to know
An issue was discovered in the in the Unicode Bidirectional Algorithm. This is a general security issue affecting a broad range of software. To the general knowledge, this flaw is currently not being exploited. The general flaw in Unicode is scroed as critical. Atlassian scores the critically for Atlassian products as high.
What is the Bidirectional Algorithm?
The use of the Bidirectional Algorithm might be necessary when working with affected Control Characters. These Control Characters are automatically used when working with localizations such as Arabic and some Japanese character sets and are typically not displayed by the browser. These are just examples and more character sets need the affected control characters, plus inserting these characters manually is also related to this vulnerability.
Am I affected?
Please see Affected versions.
What should I do?
The fix Atlassian proposes by updating the products, doesn't actually close this vulnerability but rather mitigates it: It displays user-facing information when working with bidirectional characters, warning users not to work with these characters.
We suspect only a small amount of our Swiss customers work with localizations needing the Bidirectional Algorithm, so the urgency might differ from case to case. Nonetheless, we follow Atlassian's recommendations. Updating to the fixed versions will put the described mitigation in place. Additionally we recommend informing your developers about this Unicode flaw and ask them not to execute code from unknown sources in Bamboo, Bitbucket, Crucible or Fisheye.
Further Reading
- News post from heise online (German)
- Atlassian Security Advisory for CVE-2021-42574
- Atlassian FAQ for CVE-2021-42574
- CVE-2021-42574
Affected versions and fixed versions by product
Server and Data Center
Affected versions
All versions before 8.0.4
Fixed versions
- Version 8.0.4 or newer
Affected versions
All versions before 6.10.14
All versions between 7.0.0 and 7.5.2 (inclusive)
All 7.6.x LTS versions before 7.6.10
All versions between 7.7.0 and 7.16.1 (inclusive)
All 7.17.x LTS versions before 7.17.1
Fixed versions
- Version 6.10.14
- Version 7.6.10
- Version 7.17.1 or newer
Affected versions
All versions before 7.4.13
All versions between 7.5.0 and 7.12.5 (inclusive)
All 7.13.x LTS versions before 7.13.2
Version 7.14.0
Fixed versions
- Version 7.4.13
- Version 7.13.2
- Version 7.14.1 or newer
Affected versions
All versions before 4.8.8
Fixed versions
- Version 4.8.8 or newer
Affected versions
All versions before 4.8.8
Fixed versions
- Version 4.8.8 or newer
Affected versions
All versions before 4.13.13
All versions between 4.14.0 and 4.19.1 (inclusive)
All 4.20.x LTS versions before 4.20.1
Fixed versions
- Versions 4.13.13
- Version 4.20.1 or newer
Affected versions
All versions before 8.9.4
Fixed versions
- Version 8.9.4 or newer
Affected versions
All versions before 8.13.13
All versions between 8.14.0 and 8.19.1 (inclusive)
All 8.20.x LTS versions before 8.20.1
Fixed versions
Version 8.13.13
Version 8.20.1 or newer
Cloud
For information on how this affects Atlassian Cloud sites, see CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites
If your Atlassian site is accessed via an atlassian.net domain, it is an Atlassian Cloud site.
More details on CVE-2021-42574
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows them to rank the severity as critical, high, moderate or low.
This is Atlassians assessment and you should evaluate its applicability to your own IT environment.
Description
A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Fix
Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
- Bamboo Server and Data Center release notes
- Bitbucket Server and Data Center release notes
Jira Service Management Server and Data Center release notes
You can download the latest version of your product from the download center:
Mitigation
The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.
Here's an example of the message when viewing a Confluence Data Center page with a code block.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, check out Atlassian's Frequently asked questions for CVE-2021-42574, or raise a support request at support.atlassian.com with Atlassian support or at support.bitvoodoo.ch with bitvoodoo support.