Contents
Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137, CVE-2022-26138
Dear customer,
on the 20th of July 2022 10 PM CEST, Atlassian issued two Security Advisories for it's on-premise software products and the Confluence app Questions for Confluence. The Cloud versions of the applications are not affected.
What you need to know
Atlassian has been made aware of a critical vulnerability in their on-premise software products via Arbitrary Servlet Filter Bypass and Additional Servlet Filter Invocation. Further details about the vulnerability are available in Multiple Products Security Advisory - 2022-07-20. The only current way to secure the applications, is updating to fixed versions.
Additionally Atlassian disclosed a vulnerability in the app Questions for Confluence due to a systemuser with harcoded user credentials. Further details on the vulnerability can be found in Questions For Confluence App Security Advisory - 2022-07-20. Updating Questions for Confluence fixes this vulnerability.
Affected Versions
Product | Affected Versions |
|---|---|
Bamboo Server and Data Center |
|
Bitbucket Server and Data Center |
|
Confluence Server and Data Center |
|
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center |
|
Jira Service Management Server and Data Center |
|
Questions for Confluence |
|
Fixed Versions
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.
Product | Fixed Versions |
|---|---|
Bamboo Server and Data Center |
|
Bitbucket Server and Data Center | |
Confluence Server and Data Center | |
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center | |
Jira Service Management Server and Data Center |
What should I do? - On-Premise Products
You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.
Update
Update to a version listed in Fixed Versions.
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.
Workaround
There are currently no workarounds.
You use Jira, Confluence or Bitbucket Cloud.
You are not affected by this Security Advisory.
No need for action.
You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.
Update
LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.
bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.
Workaround
There are currently no workarounds.
What should I do? - Questions For Confluence App
You use the app Questions for Confluence in Confluence Server or Data Center.
Determine If You Are Affected
Determine if you are affected by searching for the disabledsystemuser user account. If this account does not show up in the list of active users, the Confluence instance is not affected.
Update the App
Update the Questions for Confluence app to a fixed version:
2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
Workaround
Search for the disabledsystemuser user account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to:
You use Confluence Cloud.
You are not affected by this Security Advisory.
No need for action.
You use the app Questions for Confluence in Confluence Server or Data Center hosted with bitvoodoo.
bitvoodoo already updated Questions for Confluence in all Confluence installation hosted with bitvoodoo.
No need for action.
Further Reading
- CVE-2022-26136
- CVE-2022-26137
- CVE-2022-26138
Multiple Products Security Advisory - 2022-07-20
Questions For Confluence App Security Advisory - 2022-07-20
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.