Page History

Warning

This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published

English
Contents

German
Inhalte

german

French
Contenu

Inhalte

Table of Contents

Page properties

Date	17 Oct 2023
Product	Jira Service Management Data Center Jira Service Management Server
Vulnerability	high (8.4)
CVE	CVE-2019-13990
Official link	https://confluence.atlassian.com/security/cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

English

Dear customer,

On Oct 17 2023 10:00 PDT, Atlassian issued a Security Advisory for Jira Service Management Server and Data Center.
The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

The affected versions contain vulnerable versions of Terracotta Quartz Scheduler which allow authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

Affected Versions

Info

Jira Service Management Data Center and Server

4.20.0
4.20.1
4.20.10
4.20.11
4.20.12
4.20.13
4.20.14
4.20.15
4.20.16
4.20.17
4.20.18
4.20.19
4.20.2
4.20.20
4.20.21
4.20.22
4.20.23
4.20.24
4.20.25
4.20.3
4.20.4
4.20.5
4.20.6
4.20.7
4.20.8
4.20.9
4.21.0
4.21.1
4.22.0
4.22.1
4.22.2
4.22.3
4.22.4
4.22.6
5.0.0
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.5.1
5.6.0
5.7.0
5.7.1
5.8.0
5.8.1
5.9.0
5.10.0

What should I do?

Localtab Group

Localtab

active	true
title	Confluence Server & Data Center
tabIcon	bvicon-server

You use Jira Service Management Data Center and Server

Update

To address this issue, Atlassian released the following versions:

4.20.26 or later
5.10.1 or later
5.4.10 or later
5.7.2 or later
5.8.2 or later
5.9.2 or later

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality.

Localtab

title	Atlassian Confluence Cloud
tabIcon	bvicon-cloud

You use Jira Service Management Cloud

Tip
You are not affected by this Security Advisory. No need for action.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira Service Management on servers operated by bitvoodoo

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance.
Customers will get contacted to discuss the implementation of this mitigation.

Update

LTS Update Package Customers will get contacted to discuss the need of an update.

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

Frenchgerman

Dear customer,

On Oct 17 2023 10:00 PDT, Atlassian issued a Security Advisory for Jira Service Management Server and Data Center.
The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

The affected versions contain vulnerable versions of Terracotta Quartz Scheduler which allow authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

Affected Versions

Info

Jira Service Management Data Center and Server

4.20.0
4.20.1
4.20.10
4.20.11
4.20.12
4.20.13
4.20.14
4.20.15
4.20.16
4.20.17
4.20.18
4.20.19
4.20.2
4.20.20
4.20.21
4.20.22
4.20.23
4.20.24
4.20.25
4.20.3
4.20.4
4.20.5
4.20.6
4.20.7
4.20.8
4.20.9
4.21.0
4.21.1
4.22.0
4.22.1
4.22.2
4.22.3
4.22.4
4.22.6
5.0.0
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.5.1
5.6.0
5.7.0
5.7.1
5.8.0
5.8.1
5.9.0
5.10.0

What should I do?

Localtab Group

Localtab

active	true
title	Confluence Server & Data Center
tabIcon	bvicon-server

You use Jira Service Management Data Center and Server

Update

To address this issue, Atlassian released the following versions:

4.20.26 or later
5.10.1 or later
5.4.10 or later
5.7.2 or later
5.8.2 or later
5.9.2 or later

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality.

Localtab

title	Atlassian Confluence Cloud
tabIcon	bvicon-cloud

You use Jira Service Management Cloud

Tip
You are not affected by this Security Advisory. No need for action.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira Service Management on servers operated by bitvoodoo

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance.
Customers will get contacted to discuss the implementation of this mitigation.

Update

LTS Update Package Customers will get contacted to discuss the need of an update.

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

German

French

Chère cliente, cher clientDear customer,

On Oct Le 17 2023 10:00 PDToctobre 2023 à 19h, Atlassian issued a Security Advisory fora publié un avis de sécurité pour Jira Service Management Server and Serveur & Data Center.The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

The affected versions contain vulnerable versions of Terracotta Quartz Scheduler which allow authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Les versions Cloud des applications ainsi que les autres produits Atlassian ne sont pas concernés.

Ce qu'il faut savoir

Les versions concernées contiennent des versions vulnérables de Terracotta Quartz Scheduler qui permettent à des attaquants authentifiés d'initier une attaque par injection d'entité externe XML en utilisant des descriptions de tâches.

Atlassian s'est engagé à émettre des avis critiques basés sur le score de vulnérabilité NVD, dans ce cas le CVSS pour ce CVE tiers est critique Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

Affected Versions

mais ce score ne prend pas toujours en compte le contexte dans lequel un composant vulnérable est utilisé dans notre logiciel. Les attaquants non authentifiés qui n'ont pas d'accès local au système sont incapables d'exploiter cette vulnérabilité. Par conséquent, notre évaluation interne de cette vulnérabilité est classée comme étant de haute sévérité.

Versions affectées

Info

Jira Service Management Data Center and Serveret Serveur:

4.20.0
4.20.1
4.20.10
4.20.11
4.20.12
4.20.13
4.20.14
4.20.15
4.20.16
4.20.17
4.20.18
4.20.19
4.20.2
4.20.20
4.20.21
4.20.22
4.20.23
4.20.24
4.20.25
4.20.3
4.20.4
4.20.5
4.20.6
4.20.7
4.20.8
4.20.9
4.21.0
4.21.1
4.22.0
4.22.1
4.22.2
4.22.3
4.22.4
4.22.6
5.0.0
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.5.1
5.6.0
5.7.0
5.7.1
5.8.0
5.8.1
5.9.0
5.10.0

What should I do

Que dois-je faire ?

Localtab Group

Localtab

active	true
title	Confluence Server & Data Center
tabIcon	bvicon-server

You use Vous utilisez Jira Service Management Data Center and Serverou Serveur:

Update

Pour remédier à ce problème, Atlassian a mis en place :

Les versions Jira Service Management Data Center er ServeurTo address this issue, Atlassian released the following versions:

4.20.26 or laterou plus récente
5.10.1 or laterou plus récente
5.4.10 or laterou plus récente
5.7.2 or laterou plus récente
5.8.2 or laterou plus récente
5.9.2 or later

Mitigation

ou plus récente

Actions correctives:

Si vous n'êtes pas en mesure de passer immédiatement à une version corrigée, vous pouvez remédier temporairement à cette vulnérabilité en désactivant Assets sur votre instance de Jira Service Management en suivant ces instructions. Cela a pour conséquence de désactiver la fonctionnalité AssetsIf you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality.

Localtab

title	Atlassian Confluence Cloud
tabIcon	bvicon-cloud

You use Vous utilisez Jira Service Management Cloud

Tip
You are not affected by this Security Advisory. No need for actionVous n'êtes pas concerné par cet avis de sécurité. Aucune action n'est nécessaire.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Vous utilisez Jira Service Management on servers operated by sur des serveurs exploités par bitvoodoo

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance.
Customers will get contacted to discuss the implementation of this mitigation.

Update

LTS Update Package Customers will get contacted to discuss the need of an update.

Support

Actions correctives:

Si vous n'êtes pas en mesure de passer immédiatement à une version corrigée, vous pouvez remédier temporairement à cette vulnérabilité en désactivant Assets sur votre instance de Jira Service Management en suivant ces instructions.
Les clients seront contactés pour discuter de la mise en œuvre de cette mesure d'atténuation.

Update

Les clients du paquet de mise à jour LTS seront contactés pour discuter de la nécessité d'une mise à jour.

Support

Si vous avez encore des questions ou des inquiétudes concernant cet avis, veuillez contacter le support de bitvoodoo via If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

Versions Compared

Old Version 8

New Version 9

Key

What you need to know

Affected Versions

What should I do?

Update

Mitigation

Mitigation

Update

Support

What you need to know

Affected Versions

What should I do?

Update

Mitigation

Mitigation

Update

Support

What you need to know

Ce qu'il faut savoir

Versions affectées

Que dois-je faire ?

Update

Mitigation

Actions correctives:

Mitigation

Update

Support

Actions correctives:

Update

Support

Pages

Recently updated

Favourite Pages