Date: Fri, 29 Mar 2024 01:50:27 +0100 (CET) Message-ID: <1107416148.37.1711673427302@bitvoodoo74.nine.ch> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_36_241667572.1711673427301" ------=_Part_36_241667572.1711673427301 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Contents
Dear customer,
on the 20th April 2022 22:00 PM US= T, Atlassian issued a Security Advisory for Jira Server & Data Center. = The Cloud versions of the applications as well as other Atlassian products = are not affected.
Atlassian discovered a security vulnerability regarding an authent= ication bypass in the web authentication framework, Jira Seraph. Although t= he vulnerability is in the core of Jira, it affects first and third party a= pps that specify the use of some specific roles. A remote, unauthenticated = attacker could exploit this by requesting a specially crafted HTTP request = to bypass authentication and authorization requirements in WebWork actions = using an affected configuration.
An app is only affected by CVE-2022-0540 when both of the following cond= itions are true:
It=E2=80=99s installed in one of the affected Jira or Jira Service M= anagement versions listed above.
It=E2=80=99s using a configuration vulnerable to CVE-2022-0540.
<= /li>All versions include Jira Server & Data Center
All versions before 8.13.18
8.14.x
8.15.x
8.16.x
8.17.x
8.18.x
8.19.x
8.20.x before 8.20.6
8.21.x
All versions before 4.13.18
4.14.x
4.15.x
4.16.x
4.17.x
4.18.x
4.19.x
4.20.x before 4.20.6
4.21.x
Versions 8.x and earlier are available from the Atlassian Marketplac= e
Versions 9.x are bundled with Jira Service Management Server and Dat= a Center 4.15.0 and later
Bundled with Jira Server, Jira Software Server and Data Center 8.0.0= and later
Bundled with Jira Service Management Server and Data Center 4.0.0 an= d later
4.20.6
4.22.0
You can download the latest versions from the download pages for Jira Core or Jira Software or Jira Service Managemen= t.
Please Note: These are the first versions that include = the fix for CVE-2022-0540. More current bug fix releases are available for = the releases listed above. Atlassian recommends upgrading to the most curre= nt bug fix version.
You use Jira Server or Data Center
Update
Installing a fixed version of Jira or Jira Service Management is the bes= t way to remediate CVE-2022-0540. Once a fixed version has been installed, = all apps in your instance are protected against CVE-2022-0540 and no furthe= r action is required.
Update Jira to one of the listed Fixed Versions.
Workaround
If you=E2=80=99re unable to install a fixed version of Jira or Jir= a Service Management and you=E2=80=99re using any affected apps, refer to t= he list of affected apps in the section "Affected = Versions" above. If non-affected versions of those apps are avai= lable, update any affected apps.
DO NOT disable Insight - Asset Management on the following versi= ons of Jira Service Management:
4.19.x
4.20.x < 4.20.3
In these versions of Jira Service Management, disabling Insight = - Asset Management causes all of Jira Service Management to be dis= abled.
For more information on how to disable the Insight - Asset Manag= ement app, refer to this Jira KB article= .
You use Jira Software, Jira Service Management or Jira Work Mana= gement Cloud
You are not affected by this Security Advisory.
No need for action.
Your Jira Server or Data Center is hosted with bitvoodoo= strong>
Update
Installing a fixed version of Jira or Jira Service Management is the bes= t way to remediate CVE-2022-0540. Once a fixed version has been installed, = all apps in your instance are protected against CVE-2022-0540, and no furth= er action is required.
We can offer you an update to a fixed version at short notice.
Workaround
bitvoodoo will help you determine which apps are affected and will imple= ment workarounds where possible.
If you still have questions or concerns regarding this advisory, please = contact the bitvoodoo support via support.bitvoodoo.ch.