FAQ for CVE-2022-0540

Atlassian Knowledge Base

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

General Information

A critical vulnerability in Jira's web authentication framework, Jira Seraph (CVE-2022-0540), has been discovered. Read more about Jira Server and Data Center - Authentication Bypass in Seraph - CVE-2022-0540.

This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.

Are Cloud instances affected?

No, Atlassian cloud instances are not vulnerable and no customer action is required. 

My instance isn't exposed to the Internet. Is an upgrade still recommended?

Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope (e.g. affected products, and in this case, affected apps) and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.

Which Atlassian apps are affected and in what versions are they bundled?

Two bundled Atlassian apps are affected:

  • Insight - Asset Management; bundled in Jira Service Management Server and Data Center 4.15.0 and later
  • Mobile Plugin for Jira, bundled in Jira Server, Jira Software Server and Data Center 8.0.0 and later, Jira Service Management Server and Data Center 4.0.0 and later

One standalone Atlassian app is affected:

  • Insight - Asset Management version (Server, Data Center) versions < 8.10.0; available from the Atlassian Marketplace

What are my options for securing each of these apps?

Install a fixed version of Jira or Jira Service Management.

Installing a fixed version listed in the security advisory is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your Jira or JSM instance are protected against CVE-2022-0540 and no further action is required.

If updating to a fixed version isn't immediately possible

Bundled apps

Mobile Plugin for Jira - update the plugin from the Marketplace.

Insight - Asset Management - disable the app (*)

This option should be considered if you determine the risk of keeping the app enabled outweighs the functionality lost by disabling the app.

  • Insight - Asset Management can be disabled for the following versions of Jira Service Management Server and Data Center
    • Versions < 4.19.0
    • Versions >= 4.20.3

*A dependency in Jira Service Management versions 4.19-4.20.2 causes Jira Service Management to also be disabled when Insight - Asset Management app is disabled.

Standalone app

Insight - Asset Management either upgrade or disable the app if you determine the risk of keeping the app enabled outweighs the functionality lost by disabling the app.

  • Versions 8.x >= 8.10.0 are not affected by CVE-2022-0540
  • Please note versions 8.x can only be installed via UPM on JSM versions prior to 4.15.0. 

I've written my own in-house app that isn't on the Atlassian Marketplace, how can I update my app?

Any <webwork1> elements containing the roles-required attribute needs to have the same roles-required attribute included in all of its child <action> elements.

This is demonstrated in the examples below.

Configuration vulnerable to CVE-2022-0540 (roles-required specified at the <webwork1> level but not the <action> level):

<webwork1 key="foo_key" name="Foo" class="java.lang.Object" roles-required="admin">
     <actions>
          <action name="com.example.jira.plugin.foo" alias="FooShowIndex">
               <view name="error">/templates/common/error.vm</view>
               <view name="success">/templates/pluginadmin/index_show.vm</view>
          </action>
     </actions>
</webwork1>


Updated configuration not vulnerable to CVE-2022-0540 (roles-required specified at the <action> level):

<webwork1 key="foo_key" name="Foo" class="java.lang.Object">
     <actions>
          <action name="com.example.jira.plugin.foo" alias="FooShowIndex" roles-required="admin">
               <view name="error">/templates/common/error.vm</view>
               <view name="success">/templates/pluginadmin/index_show.vm</view>
          </action>
     </actions>
</webwork1>

Alternate configuration not vulnerable to CVE-2022-0540 (roles-required specified at both the <webwork1> and <action> levels):

<webwork1 key="foo_key" name="Foo" class="java.lang.Object" roles-required="admin">
     <actions>
          <action name="com.example.jira.plugin.foo" alias="FooShowIndex" roles-required="admin">
               <view name="error">/templates/common/error.vm</view>
               <view name="success">/templates/pluginadmin/index_show.vm</view>
          </action>
     </actions>
</webwork1>

How is app X vulnerable? How can we determine if the risk of using the app is greater than the use of it?

The guidance we provided in the security advisory is to connect with the app vendor directly to learn the impact so that you can determine the risk. 

Regarding our bundled apps, we've included this information in the security advisory in the section Determining which apps are affected under the expand titled "Atlassian Marketplace apps with configurations affected by CVE-2022-0540" in the Notes column.

Mobile Plugin for Jira

Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540.

Insight - Asset Management

An attacker can exploit this vulnerability to execute arbitrary code. In order to do so, the attacker needs the following:

How did some app developers know to update their code to fix this vulnerability in Jira?

Due to the nature of this vulnerability, that Jira is vulnerable but exposes apps, combined with our understanding that Jira upgrades can take some time, we leveraged our relationship with Marketplace partners. We did this with a shared goal in mind to try to minimize the impact of the critical advisory as much as possible by asking affected partners to update code since apps are easier to upgrade. 

If Insight is also an app, why can't I upgrade the bundled version?

The bundled version of Insight is now integrated with Jira Service Management as a core feature so although it started off as an app (and can still be found as a standalone app for Jira) it is deeply interwoven within the product. 

The fixes made it into the product for some time, why weren't they communicated immediately?

This vulnerability is unique in that the vulnerability is in Jira code but the code paths that are potentially exposed are in apps. It took some time for us to scan our own code and to also scan the code of Marketplace apps. Once the scanning was complete we needed to give Marketplace partners a window of time to update their code to help mitigate the impact to customers.

We use HTTPS/SSL, are we still vulnerable?

Yes. HTTPS is HTTP with encryption (SSL/TLS) which helps secure content traveling between two points. Whether or not encryption is used doesn’t have any effect on how the vulnerability can be exploited.

Last modified on Apr 29, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.