Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574

Articles

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Summary

CVE-2021-42574 - Unrendered unicode bidirectional override characters in multiple products

Advisory Release Date

 1 November 2021 12 AM UTC (Coordinated Universal Time, +0 hours)

Products

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crucible

  • Fisheye

  • Jira Service Management Server and Data Center (and Insight Asset Management app)

  • Jira Software Server and Data Center (including Jira Core)

Affected Versions

Bamboo Server and Data Center

  • All versions before 8.0.4

Bitbucket Server and Data Center

  • All versions before 6.10.14

  • All versions between 7.0.0 and 7.5.2 (inclusive)

  • All 7.6.x LTS versions before 7.6.10

  • All versions between 7.7.0 and 7.16.1 (inclusive)

  • All 7.17.x LTS versions before 7.17.1

Confluence Server and Data Center

  • All versions before 7.4.13

  • All versions between 7.5.0 and 7.12.5 (inclusive)

  • All 7.13.x LTS versions before 7.13.2

  • Version 7.14.0

Crucible

  • All versions before 4.8.8

Fisheye

  • All versions before 4.8.8

Jira Service Management Server and Data Center

  • All versions before 4.13.13

  • All versions between 4.14.0 and 4.19.1 (inclusive)

  • All 4.20.x LTS versions before 4.20.1

Insight Asset Management (Marketplace app for Jira Service Management)

  • All versions before 8.9.4

Jira Software Server and Data Center (including Jira Core)

  • All versions before 8.13.13

  • All versions between 8.14.0 and 8.19.1 (inclusive)

  • All 8.20.x LTS versions before 8.20.1

Fixed Versions

Bamboo Server and Data Center

  • 8.0.4

Bitbucket Server and Data Center

  • 6.10.14

  • 7.6.10

  • 7.17.1

Confluence Server and Data Center

  • 7.4.13

  • 7.13.2

  • 7.14.1

Crucible

  • 4.8.8

Fisheye

  • 4.8.8

Jira Service Management Server and Data Center

  • 4.13.13

  • 4.20.1

Insight Asset Management (Marketplace app for Jira Service Management)

  • 8.9.4

Jira Software Server and Data Center (including Jira Core)

  • 8.13.13

  • 8.20.1

CVE ID

CVE-2021-42574

Summary of Vulnerability

This advisory discloses a high severity security vulnerability which was introduced in multiple product versions as enumerated below:

Bamboo Server and Data Center

  • All versions before 8.0.4

Bitbucket Server and Data Center

  • All versions before 6.10.14

  • All versions between 7.0.0 and 7.5.2 (inclusive)

  • All 7.6.x LTS versions before 7.6.10

  • All versions between 7.7.0 and 7.16.1 (inclusive)

  • All 7.17.x LTS versions before 7.17.1

Confluence Server and Data Center

  • All versions before 7.4.13

  • All versions between 7.5.0 and 7.12.5 (inclusive)

  • All 7.13.x LTS versions before 7.13.2

  • Version 7.14.0

Crucible

  • All versions before 4.8.8

Fisheye

  • All versions before 4.8.8

Jira Service Management Server and Data Center

  • All versions before 4.13.13

  • All versions between 4.14.0 and 4.19.1 (inclusive)

  • All 4.20.x LTS versions before 4.20.1

Insight Asset Management (Marketplace app for Jira Service Management)

  • All versions before 8.9.4

Jira Software Server and Data Center (including Jira Core)

  • All versions before 8.13.13

  • All versions between 8.14.0 and 8.19.1 (inclusive)

  • All 8.20.x LTS versions before 8.20.1


For information on how this affects Atlassian Cloud sites, see CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites

If your Atlassian site is accessed via an atlassian.net  domain, it is an Atlassian Cloud site.

Customers who have upgraded to a version listed under Fixed Versions in the table above are not affected.

Customers who have downloaded and installed a version listed under Affected Versions in the table above, please upgrade your installations immediately to fix this vulnerability.

CVE-2021-42574 - Unicode bidirectional override character trojan source attack

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Acknowledgements

The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. Details are disclosed at CVE-2021-42574.

Fix

We have taken the following steps to address this issue:

  1. Released Bamboo Server and Data Center version 8.0.4 that contains a fix for this issue.

  2. Released Bitbucket Server and Data Center versions 6.10.14, 7.6.10, and 7.17.1 that contains a fix for this issue.

  3. Released Confluence Server and Data Center versions 7.4.13, 7.13.2, and 7.14.1 that contains a fix for this issue.

  4. Released Crucible version 4.8.8 that contains a fix for this issue.

  5. Released Fisheye version 4.8.8 that contains a fix for this issue.

  6. Released Insight Asset Management marketplace app version 8.9.4 that contains a fix for this issue.

  7. Released Jira Service Management Server and Data Center versions 4.13.13, and 4.20.1 that contains a fix for this issue.

  8. Released Jira Software Server and Data Center versions 8.13.13, and 8.20.1 that contains a fix for this issue.

What you need to do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:

You can download the latest version of your product from the download center:


Upgrade to the version recommended below or higher.

Product

Action

Bamboo Server and Data Center

Upgrade to 8.0.4 or higher

Bitbucket Server and Data Center

Upgrade to 7.17.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Confluence Server and Data Center

Upgrade to 7.13.2 LTS or higher 7.13.x version

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

If you’re running 7.14.0, upgrade to 7.14.1 or higher

Crucible

Upgrade to 4.8.8 or higher

Fisheye

Upgrade to 4.8.8 or higher

Insight Asset Management app

Upgrade the app to 8.9.4 or higher

This is only required if you’ve installed Insight Asset Management from the Marketplace.

Jira Software Server and Data Center (including Jira Core)

Upgrade to 8.20.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Jira Service Management Server and Data Center

Upgrade to 4.20.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Mitigation

The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.

Here's an example of the message when viewing a Confluence Data Center page with a code block.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, check our Frequently asked questions for CVE-2021-42574, or raise a support request at https://support.atlassian.com/.

References

Security Bug Fix Policy

As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for Security Issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

Atlassian Support End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Nov 2, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.