FAQ for CVE-2022-0540
A critical vulnerability in Jira's web authentication framework, Jira Seraph (CVE-2022-0540), has been discovered. Read more about Jira Server and Data Center - Authentication Bypass in Seraph - CVE-2022-0540.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope (e.g. affected products, and in this case, affected apps) and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.
Which Atlassian apps are affected and in what versions are they bundled?
Two bundled Atlassian apps are affected:
- Insight - Asset Management; bundled in Jira Service Management Server and Data Center 4.15.0 and later
- Mobile Plugin for Jira, bundled in Jira Server, Jira Software Server and Data Center 8.0.0 and later, Jira Service Management Server and Data Center 4.0.0 and later
One standalone Atlassian app is affected:
- Insight - Asset Management version (Server, Data Center) versions < 8.10.0; available from the Atlassian Marketplace
What are my options for securing each of these apps?
Install a fixed version of Jira or Jira Service Management.
Installing a fixed version listed in the security advisory is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your Jira or JSM instance are protected against CVE-2022-0540 and no further action is required.
If updating to a fixed version isn't immediately possible
Mobile Plugin for Jira - update the plugin from the Marketplace.
Insight - Asset Management - disable the app (*)
This option should be considered if you determine the risk of keeping the app enabled outweighs the functionality lost by disabling the app.
- Insight - Asset Management can be disabled for the following versions of Jira Service Management Server and Data Center
- Versions < 4.19.0
- Versions >= 4.20.3
*A dependency in Jira Service Management versions 4.19-4.20.2 causes Jira Service Management to also be disabled when Insight - Asset Management app is disabled.
Insight - Asset Management either upgrade or disable the app if you determine the risk of keeping the app enabled outweighs the functionality lost by disabling the app.
- Versions 8.x >= 8.10.0 are not affected by CVE-2022-0540
- Please note versions 8.x can only be installed via UPM on JSM versions prior to 4.15.0.
I've written my own in-house app that isn't on the Atlassian Marketplace, how can I update my app?
<webwork1> elements containing the
roles-required attribute needs to have the same
roles-required attribute included in all of its child
This is demonstrated in the examples below.
Configuration vulnerable to CVE-2022-0540 (roles-required specified at the
<webwork1> level but not the
<webwork1 key="foo_key" name="Foo" class="java.lang.Object" roles-required="admin"> <actions> <action name="com.example.jira.plugin.foo" alias="FooShowIndex"> <view name="error">/templates/common/error.vm</view> <view name="success">/templates/pluginadmin/index_show.vm</view> </action> </actions> </webwork1>
Updated configuration not vulnerable to CVE-2022-0540 (
roles-required specified at the
<webwork1 key="foo_key" name="Foo" class="java.lang.Object"> <actions> <action name="com.example.jira.plugin.foo" alias="FooShowIndex" roles-required="admin"> <view name="error">/templates/common/error.vm</view> <view name="success">/templates/pluginadmin/index_show.vm</view> </action> </actions> </webwork1>
Alternate configuration not vulnerable to CVE-2022-0540 (
roles-required specified at both the
<webwork1 key="foo_key" name="Foo" class="java.lang.Object" roles-required="admin"> <actions> <action name="com.example.jira.plugin.foo" alias="FooShowIndex" roles-required="admin"> <view name="error">/templates/common/error.vm</view> <view name="success">/templates/pluginadmin/index_show.vm</view> </action> </actions> </webwork1>
How is app X vulnerable? How can we determine if the risk of using the app is greater than the use of it?
The guidance we provided in the security advisory is to connect with the app vendor directly to learn the impact so that you can determine the risk.
Regarding our bundled apps, we've included this information in the security advisory in the section Determining which apps are affected under the expand titled "Atlassian Marketplace apps with configurations affected by CVE-2022-0540" in the Notes column.
Mobile Plugin for Jira
Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540.
Insight - Asset Management
An attacker can exploit this vulnerability to execute arbitrary code. In order to do so, the attacker needs the following:
- The user must be an authenticated Jira user AND
- The user must have user or group permission to “Object Schema Manager” within Insight - Asset Management.
How did some app developers know to update their code to fix this vulnerability in Jira?
Due to the nature of this vulnerability, that Jira is vulnerable but exposes apps, combined with our understanding that Jira upgrades can take some time, we leveraged our relationship with Marketplace partners. We did this with a shared goal in mind to try to minimize the impact of the critical advisory as much as possible by asking affected partners to update code since apps are easier to upgrade.
If Insight is also an app, why can't I upgrade the bundled version?
The bundled version of Insight is now integrated with Jira Service Management as a core feature so although it started off as an app (and can still be found as a standalone app for Jira Software) it is deeply interwoven within the product.
The fixes made it into the product for some time, why weren't they communicated immediately?
This vulnerability is unique in that the vulnerability is in Jira code but the code paths that are potentially exposed are in apps. It took some time for us to scan our own code and to also scan the code of Marketplace apps. Once the scanning was complete we needed to give Marketplace partners a window of time to update their code to help mitigate the impact to customers.
We use HTTPS/SSL, are we still vulnerable?
Yes. HTTPS is HTTP with encryption (SSL/TLS) which helps secure content traveling between two points. Whether or not encryption is used doesn’t have any effect on how the vulnerability can be exploited.