FAQ for CVE-2021-42574

Atlassian Knowledge Base

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

General Information

This page contains frequently asked questions and answers related to the unrendered unicode bidirectional override characters security advisory published on .


What can I do until I can upgrade?

We understand you’re looking for proactive steps that you can use until you can upgrade to get a fix for visually displaying Unicode bidirectional override (bidi) characters in the app. While the only option to get this new visibility is to upgrade, we’re putting together some queries so you can scan your application for these characters. It is up to you to make an assessment if they are being legitimately used. This is the same practice we would recommend you and your security team take even after an upgrade.

We want to be clear that this is not a new method for an attacker to gain access to your system. A user must be able to post content in order for these characters, and potentially malicious code, to be introduced. A couple of security best practices that should be shared with your organization now and even after you upgrade:

  1. don’t copy/paste code snippets from external sources that you’ll introduce into your source code
  2. use even greater caution if using copy/paste into command shells

These are only two common examples of how these characters are unknowingly introduced and cause unintended results.

Once again, the fix reveals these characters to users as they work with code on the screen, and some use cases are legitimate. You must still determine if they are legitimately being used if you find them.

We’re working with development to create queries you or your database team can use to identify these characters where possible in our products.

For Bitbucket Server and Data Center and Fisheye/Crucible, you will need to search the content of your repositories for bidi characters. Atlassian is not able to provide guidance on how to search for these characters in your repositories and we recommend you consult with your security team on best practices. The list of the bidi characters that we've added visibility for in the fixed versions is available below.


Does the presence of bidirectional characters indicate that my instance has been compromised?

No. These characters have legitimate use cases in some scripts. An example of this is a very widely used script for Arabic, which is read right to left. Bidirectional characters enable translations to these scripts for users. It is important to understand what the code and its logic does and how it uses the bidirectional characters in order to determine if it is being used to perform malicious or unintentional operations.


What is the mitigation for homoglyph characters / CVE-2021-42694. Are you working on a fix?

Homoglyph characters are known and widely used in some legitimate cases across different software and codebases. Some scripts require the use of homoglyph characters and they are also supported under the ECMAScript specification.

Atlassian is committed to making sure that our products are secure for our customers to use. We are in close talks with the security auditing companies that we partner with to scan codebases to detect homoglyphs. There are numerous scripts available from the open source community (one example being https://github.com/codebox/homoglyph) that can help you identify existence of homoglyphs in your codebase. However, Atlassian takes no responsibility for the use of these scripts, including the linked example.


Can we determine if bidirectional or homoglyph characters exist in our application?

If you are using our cloud products or the version of server product with the mitigation rolled out, you will be able to clearly identify bidirectional characters, if present, in codebases and code blocks.


How did you [Atlassian] check your own systems for these characters? What did you do if/when you found them?

We’ve scanned our files and assessed them for signs of malicious conditions.


Can you share unicode characters that can be used for testing that the vulnerability is patched?

Abbreviation

Code Point

Name

Description

LRE

U+202A

Left-to-Right Embedding

Try treating following text as left-to-right.

RLE

U+202B

Right-to-Left Embedding

Try treating following text as right-to-left.

LRO

U+202D

Left-to-Right Override

Force treating following text as left-to-right

RLO

U+202E

Right-to-Left Override

Force treating following text as right-to-left.

LRI

U+2066

Left-to-Right Isolate

Force treating following text as left-to-right without affecting adjacent text.

RLI

U+2067

Right-to-Left Isolate

Force treating following text as right-to-left without affecting adjacent text.

FSI

U+2068

First Strong Isolate

Force treating following text in direction indicated by the next character.

PDF

U+202C

Pop Directional Formatting

Terminate nearest LRE, RLE, LRO, or RLO.

PDI

U+2069

Pop Directional Isolate

Terminate nearest LRI or RLI.


What versions of your applications have you fixed?

Refer to the security advisory to learn the fixed versions: Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574


Upgrading

I need help upgrading

For detailed information and step-by-step instructions related to upgrading, please see the relevant links below.

Jira

Upgrading Jira applications

For upgrading Jira Data Center using with Zero Downtime: Upgrading Jira Data Center with zero downtime

Confluence

Upgrading Confluence

Bitbucket Server

Bitbucket Server upgrade guide

Bamboo

Bamboo upgrade guide

Fisheye/Crucible

Fisheye upgrade guide

Crucible upgrade guide


I’d like for an engineer to help me with my upgrade

We cannot offer dedicated assistance but we are happy to help plan your upgrade and we will respond to any issues that arise and are submitted according to our service level agreements.

For more information regarding Atlassian's support offerings, please check out Atlassian Support Offerings.


Advisories

This advisory is rated “high” and normally a notification is only sent for “critical” severity issues, why the change?

At Atlassian, customer security and trust is very important. We were notified of this vulnerability by researchers along with their intent to go public with the vulnerability information. In the interest of our customers' security and trust, we are making sure that our customers are aware that a mitigation is already in place when the vulnerability information is made public. Severity rating is only a part of this decision.


How does Atlassian decide who to send advisory emails to?

By default, the primary technical contact will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc). 

Other contacts can opt into these notifications by going to http://my.atlassian.com, clicking “Email Preferences” at the top, scrolling to “Tech Alerts”, and selecting the products they want notifications for.


Product Specific

Jira Core / Jira Software / Jira Service Management

I just upgraded due to the security advisory (CVE-2018-10054) released on  , how do I know I won’t have to upgrade again in a week?

We are aware that having two advisories in such a short period presents a challenge. Although we cannot guarantee that there will be no further advisories in the near future, I can point you to our Jira security advisory history. As you can see, this is an atypical situation and our priority is always to make your instance as secure as possible.

Jira Core / Jira Software

I just upgraded my Jira Core/Jira Software instance due to the security advisory (CVE-2018-10054) released on  , and I am unable to upgrade immediately. Is there a temporary workaround to mitigate against CVE-2021-42574?

We recommend upgrading as soon as possible if you are on an affected version, but as a temporary workaround, you can mitigate the issue by deploying new JAR files that contains a partial fix.

:info: For Jira Data Center, the temporary workaround can be applied on one node at a time without shutting down the whole Jira cluster. There are no dependencies between nodes for the workaround JAR files.

:info: The temporary workaround is supported only for Jira Core / Jira Software version 8.20.

The following changes are not included in the patch, and are only available after Jira is upgraded to a fixed version:

  • Highlighting bidi unicode characters in outgoing e-mails

  • Highlighting bidi unicode characters in activity streams

You must upgrade to a fixed version to receive all the changes:

  • Highlighting bidi unicode characters in code blocks on all issue screens (create, view, edit etc.)

    • E.g. issue description, comments or custom fields using wiki markup

    • When the value is displayed and when it’s being edited in visual mode

  • Highlighting bidi unicode characters in code blocks in outgoing e-mails

  • Highlighting bidi unicode characters in code blocks in activity streams

Instructions for Jira Core / Jira Software

Requirements

Jira Core / Jira Software version 8.20

Patched Files & Locations

Location

Remove this file

New file

<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/

jira-editor-plugin-4.6.5.jar

jira-editor-plugin-4.7.1-patch.jar
<jira-install>/atlassian-jira/WEB-INF/lib/atlassian-renderer-8.0.32.jaratlassian-renderer-8.0.33-patch.jar


Steps - Use table above

  1. Shut down Jira (or node).

  2. Download and unpack the file jira.zip.

  3. Remove the file listed under “Remove this file” from the specified locations (see table above).

    1. Do not backup the existing file within the Jira install directory.

    2. Do not create a copy, the existing file must be moved.

  4. Copy the newly downloaded files to the specified location.

  5. Ensure the files have permissions similar to the rest of the files in the directory.

  6. Start Jira (or node).

  7. If you run Jira in a cluster, make sure you deploy the new files similarly on all of your nodes.


Jira Service Management

I just upgraded my Jira Service Management instance due to the security advisory (CVE-2018-10054) released on   , and I am unable to upgrade immediately. Is there a temporary workaround to mitigate against CVE-2021-42574?

We recommend upgrading as soon as possible if you are on an affected version, but as a temporary workaround, you can mitigate the issue by deploying new JAR file that contains a partial fix.

(info) For Jira Data Center, the temporary workaround can be applied on one node at a time without shutting down the whole Jira cluster. There are no dependencies between nodes for the workaround JAR files.

(info) The temporary workaround is supported only for Jira Service Management version 4.20!

(warning) Requires Jira 8.20 patch files to also be installed (see above)!

The following features are not covered by the patch, and are only available after a regular Jira upgrade:

  • Highlighting bidi unicode characters in outgoing e-mails

  • Highlighting bidi unicode characters in activity streams

You must upgrade to a fix version for the full fix:

  • Highlighting bidi unicode characters in code blocks on all issue screens (create, view, edit etc.)

    • E.g. issue description, comments or custom fields using wiki markup

    • When the value is displayed and when it’s being edited in visual mode

  • Highlighting bidi unicode characters in code blocks in outgoing e-mails

  • Highlighting bidi unicode characters in code blocks in activity streams

Instructions for Jira Service Management

Requirements

  • Jira Service Management version 4.20

  • Jira 8.20 patched JAR files must be installed

Patched Files & Locations

If Jira Service Management is downloaded from here and installed:

Location

Remove this file

New file

<jira-install>/atlassian-jira/WEB-INF/application-installation/jira-servicedesk-application

servicedesk-frontend-plugin-4.20.0-REL-0052.jar

servicedesk-frontend-plugin-4.20.0-REL-0053.jar

<jira-install>/atlassian-jira/WEB-INF/application-installation/jira-servicedesk-application

insight-9.1.2.jar

insight-9.1.3.jar

If Jira Software is downloaded and installed, later Jira Service Management was added:

Installation

Locations

Remove the files

New files

Data Center

<jira-shared-home>/plugins/installed-plugins/

servicedesk-frontend-plugin-4.20.0-REL-0052.jar

servicedesk-frontend-plugin-4.20.0-REL-0052.jar

insight-9.1.2.jar

insight-9.1.2.jar

Server

<jira-home>/plugins/installed-plugins/

servicedesk-frontend-plugin-4.20.0-REL-0052.jar

servicedesk-frontend-plugin-4.20.0-REL-0052.jar

insight-9.1.2.jarinsight-9.1.2.jar


Steps - Use the table above

  1. Shut down Jira (or node).

  2. Download and unpack the file jsm.zip.

  3. Remove the files listed under “Remove this file” from the specified locations (see table above).

    1. (warning) Do not backup the existing file within the Jira install directory.

    2. (warning) Do not create a copy, the existing file must be moved.

  4. Copy the newly downloaded files to the specified locations.

  5. Ensure the files have permissions similar to the rest of the files in the directory.

  6. Start Jira (or node).

  7. If you run Jira in a cluster, make sure you deploy the new files similarly on all of your nodes.


I use Insight Asset Management, do I need to upgrade the app?

Insight Asset Management is bundled with Jira Service Management 4.15 and later. If you are running, or upgrading to Jira Service Management 4.15 or later, there are no additional steps required to update Insight Asset Management.

If you are running Jira Service Management 4.14 or earlier, you will also need to update Insight Asset Management through UPM. This includes if you’re upgrading to Jira Service Management 4.13.13.

  1. Go Administration > Manage Apps

  2. Follow the prompts to upgrade Insight Asset Management.

For Jira Service Management compatibility information see the Insight Asset Management Marketplace listing.



Confluence

I just upgraded my Confluence instance due to the security advisory (CVE-2021-26084) released on  , how do I know I won’t have to upgrade again in a week?

We are aware that having two advisories in such a short period presents a challenge. Although we cannot guarantee that there will be no further advisories in the near future, I can point you to our Confluence security advisory history. As you can see, this is an atypical situation and our priority is always to make your instance as secure as possible.


I just upgraded my Confluence instance due to the security advisory (CVE-2021-26084) released on  , and I am unable to upgrade immediately. Is there a temporary workaround to mitigate against CVE-2021-42574?

We recommend upgrading as soon as possible if you are on an affected version, but as a temporary workaround, you can mitigate the issue by deploying a new JAR file that contains the fix.

The temporary workaround can be applied on one node at a time without shutting down the whole Confluence cluster. There are no dependencies between nodes for the workaround JAR file.
(info) The temporary workaround is supported only for Confluence 7.4.9 and later.
(warning) For Confluence 7.4.8 and older, please upgrade to a fixed version of Confluence.

Instructions for Confluence

  1. Shut down Confluence (or node).

  2. Download newcode-macro-plugin-4.1.1.jar to the Confluence Server.

  3. Move the existing <confluence-install>/confluence/WEB-INF/atlassian-bundled-plugins/newcode-macro-plugin-X.X.X.jar outside the <confluence-install> directory.

    1. Where X.X.X is the version number dependent on your Confluence version.

    2. (warning) Do not backup the existing file within the Confluence Install directory.

    3. (warning) Do not create a copy, the existing file must be moved.

  4. Copy the downloaded newcode-macro-plugin-4.1.1.jar file into <confluence-install>/confluence/WEB-INF/atlassian-bundled-plugins/

  5. Ensure the newcode-macro-plugin-4.1.1.jar has the relevant file permissions as the rest of the files in the same directory.

  6. Start Confluence (or node).

  7. If you run Confluence in a cluster, make sure you deploy newcode-macro-plugin-4.1.1.jar on all of your nodes.



Last modified on Nov 5, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.