Jira Security Advisory 2022-04-20
Updates
11:30 AM PDT
- Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available:
- Secure Code Warrior® for Jira
- Simple Tasklists
- Simple Team Pages for Jira
- UiPath Test Manager for Jira
- Xporter - Export issues from Jira
11:40 AM PDT
- Updated the List of affected Atlassian Marketplace Apps section to note the following app is no longer supported:
- Feedback for Jira - Forms for website
12:30 PM PDT
- Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available:
- VCAP - Video Capture for Jira Service Management
- Who deleted my issues
11:50 AM PDT
- Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available:
- Calendar for Jira
- Dependent Select List
- Smart Checklist for Jira. Pro
Summary | CVE-2022-0540 - Authentication bypass in Seraph |
|---|---|
Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
Affected Products |
Jira Cloud is not affected. |
CVE ID(s) | CVE-2022-0540 |
Summary of Vulnerability
Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.
Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.
A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.
Severity
For installations that use apps that have an affected configuration, Atlassian rates the severity level of this vulnerability as critical, though this may vary if an affected app uses additional permissions checks. For more detailed information on the impact to each app listed in the Determining which apps are affected section below, contact the app vendor.
For installations that do not use any apps that have an affected configuration as described in the Summary of Vulnerability section above, Atlassian rates the severity level of this vulnerability as medium.
This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Jira Versions
This includes the following products:
- Jira Core Server
- Jira Software Server
- Jira Software Data Center
- All versions before 8.13.18
- 8.14.x
- 8.15.x
- 8.16.x
- 8.17.x
- 8.18.x
- 8.19.x
- 8.20.x before 8.20.6
- 8.21.x
Fixed Jira Versions
- 8.13.x >= 8.13.18
- 8.20.x >= 8.20.6
- All versions >= 8.22.0
You can download the latest versions from the download pages for Jira Core or Jira Software.
Please note, these are the first versions that include the fix for CVE-2022-0540. More current bug fix releases are available for the three releases listed above. Atlassian recommends upgrading to the most current bug fix version.
Affected Jira Service Management Versions
This includes the following products:
- Jira Service Management Server
Jira Service Management Data Center
- All versions before 4.13.18
- 4.14.x
- 4.15.x
- 4.16.x
- 4.17.x
- 4.18.x
- 4.19.x
- 4.20.x before 4.20.6
- 4.21.x
Fixed Jira Service Management Versions
- 4.13.x >= 4.13.18
- 4.20.x >= 4.20.6
- All versions >= 4.22.0
You can download the latest versions from the download page for Jira Service Management.
Please note, these are the first versions that include the fix for CVE-2022-0540. More current bug fix releases are available for the three releases listed above. Atlassian recommends upgrading to the most current bug fix version.
Determining which apps are affected
An app is only affected by CVE-2022-0540 when both of the following conditions are true:
- It’s installed in one of the affected Jira or Jira Service Management versions listed above
- It’s using a configuration vulnerable to CVE-2022-0540
Although app configuration is one factor that determines whether or not it is vulnerable, it is not the cause of the vulnerability. These apps are correctly using documented functionality that was previously implemented by Jira and Jira Service Management in a vulnerable way. If you have already installed a fixed version of Jira or Jira Service Management, you are protected against this vulnerability no matter which apps you have installed.
Atlassian has determined which Atlassian Marketplace apps use a configuration vulnerable to CVE-2022-0540 (see the List of affected Atlassian Marketplace Apps section below). If you are using an app that is not listed on Atlassian Marketplace, please contact the developer to determine if it’s using an affected configuration.
The list of affected apps includes two Atlassian apps:
- Insight - Asset Management
- Versions 8.x and earlier are available from the Atlassian Marketplace
- Versions 9.x are bundled with Jira Service Management Server and Data Center 4.15.0 and later
- Mobile Plugin for Jira
- Bundled with Jira Server, Jira Software Server and Data Center 8.0.0 and later
- Bundled with Jira Service Management Server and Data Center 4.0.0 and later
List of affected Atlassian Marketplace Apps
Click the following expand to see the list of Atlassian marketplace apps affected by CVE-2022-0540:
Workarounds
Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required.
If you’re unable to install a fixed version of Jira or Jira Service Management and you’re using any affected apps, refer to the table in the Determining which apps are affected section above to determine if non-affected versions of those apps are available. If so, update any affected apps to a non-affected version.
As a last resort, if you’re using any apps listed in the Determining which apps are affected section and all versions of the app are affected, you can mitigate the security risk by disabling the app until you’re able to install a fixed version of Jira or Jira Service Management.
DO NOT disable Insight - Asset Management on the following versions of Jira Service Management
- 4.19.x
- 4.20.x < 4.20.3
In these versions of Jira Service Management, disabling Insight - Asset Management causes all of Jira Service Management to be disabled.
For more information on how to disable the Insight - Asset Management app, refer to this Jira KB article.
Acknowledgements
We would like to acknowledge Khoadha of Viettel Cyber Security for finding this vulnerability.
Frequently Asked Questions
We’ll be updating this page often with common questions: FAQ for CVE-2022-0540.
Related Tickets
- JRASERVER-73650 - Getting issue details... STATUS
- JSDSERVER-11224 - Getting issue details... STATUS
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |