FAQ for CVE-2022-1471
General Information
A critical severity remote code execution (RCE) vulnerability was discovered in the SnakeYAML library for Java; which is used by multiple Atlassian Products (CVE-2022-1471).
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
Atlassian Cloud sites are not impacted by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and not vulnerable to this issue.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.
How does Atlassian decide who to send these emails to?
By default, the primary technical contact will always receive emails regarding security vulnerabilities as well as other technical alerts (pricing changes, maintenance notifications, etc).
Other contacts can opt into these notifications by going to my.atlassian.com, clicking Email Preferences at the top, scrolling to Tech Alerts, and selecting the products they want notifications for.
I wasn't made aware of the vulnerability, how and when was this communicated by Atlassian?
An alert was sent to all customers subscribed to the product technical alerts list when we released the fix. You can check your membership on that list by going to https://my.atlassian.com/email
Why are there so many security advisories lately?
Your security is our top priority, and we believe that acting proactively is the best approach to protecting your data. We found these vulnerabilities as part of an ongoing security review that we are conducting in addition to our continuous security assessments (more info - https://www.atlassian.com/trust/security/security-testing).
Please continue to follow the Critical Security Advisories for future updates, and if you have questions, please respond to this email or raise a support request via support.atlassian.com.
What if I don’t have a local security team?
We recommend engaging a specialist security firm for further investigation.
Confluence
A Confluence instance might be affected by this vulnerability depending on two main factors:
If the instance is running on an affected version, or
If the instance has the Confluence Cloud Migration Assistant (CCMA) app on an affected version (which comes bundled with Confluence).
Early versions of the CCMA app include the vulnerable SnakeYAML library.
Please note that even if your Confluence instance is running an unaffected version, if you are running an impacted early-version CCMA app, your instance is still vulnerable.
What versions of Confluence are affected and fixed versions?
Affected Confluence versions
Confluence Server and Data Center
LTS (Long Term Support) versions:
7.19.9 or lower
7.13.17 or lower
Non-LTS versions:
8.3.0
8.2.X (any minor version)
8.1.X (any minor version)
8.0.X (any minor version)
7.20.X (any minor version)
7.18.X (any minor version)
any earlier version of the product.
Fixed Confluence versions
LTS (Long Term Support) versions:
8.5.0 or higher
7.19.10 or higher
7.13.18 or higher (end-of-life LTS version)
Non-LTS versions:
8.7.0 or higher
8.6.0 or higher
8.4.0 or higher
8.3.1 or higher
Affected Confluence Cloud Migration Assistant (CCMA) app versions
Plugin versions lower than 3.4.0.
Fixed Confluence Cloud Migration Assistant (CCMA) app versions
Plugin versions equal to 3.4.0 or higher.
Examples of Affected Configurations
Confluence 8.0.3 (affected) with CCMA version 3.4.5 (not affected) = affected.
Confluence 7.19.12 (not affected) with CCMA version 3.3.13 (affected) = affected.
Confluence 7.17.5 (affected) with CCMA version 3.4.0 (not affected) = affected.
Confluence 7.16.5 (affected) with CCMA version 3.3.11 (affected) = affected.
How can I mitigate this vulnerability in Confluence?
This security vulnerability cannot be mitigated in any way other than patching the instance to a version of Confluence and the CCMA app that contains the fix.
Please refer to Upgrading Confluence (or Upgrading Confluence Manually) for detailed steps. FYI, a fixed version of the CCMA app is already bundled with the fixed version of Confluence that addresses this CVE.
If you have been advised by the Atlassian Cloud Migrations Team to use an older version of the CCMA app for an active/ongoing migration, then please let us know and we will assist you accordingly.
If you face any issues during or after the upgrade, please open a support ticket, and we'll promptly assist you in getting things resolved.
Jira / Jira Software / Jira Service Management / Automation for Jira app
What versions of Jira are affected?
The vulnerability exists in a library used by all versions of the Automation for Jira app (including the Server Lite edition) which is also bundled in Jira Core / Jira Software 9+ and Jira Service Management 5+.
Please refer the security advisory for the most recent list of affected versions.
Affected Versions:
Jira Core / Jira Software
LTS (Long Term Support) versions:
9.4.0 <= 9.4.12
Non-LTS versions:
9.0.X
9.1.X
9.2.X
9.3.X
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1
Jira Service Mangement
LTS (Long Term Support) versions:
5.4.0 <= 5.4.12
Non-LTS versions:
5.0.X
5.1.X
5.2.X
5.3.X
5.5.x
5.6.x
5.7.x
5.8.x
5.9.x
5.10.x
5.11.0
5.11.1
Automation for Jira apps (if installed in Jira < 9.0 or Jira Service Management < 5.0)
<= 8.2.2
9.0.0
9.0.1
Atlassian strongly recommends updating to the following versions of Jira or upgrading just the Automation for Jira app via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info. This version was also bundled with Jira 9.11+ and JSM 5.11+.
Upgrade Jira
LTS (Long Term Support) versions:
Jira Core/Software 9.4.14/JSM 5.4.14 or later
Jira Core/Software 9.12.0/JSM 5.12.0 or later
Non-LTS (Long Term Support) versions:
Jira Core/Software 9.11.2/ JSM 5.11.2 or later
OR
Upgrade Automation for Jira apps
8.2.4
9.0.2 or later
What versions of the Automation for Jira (A4J) apps are impacted and which versions include the fix?
The following versions of Automation for Jira (A4J) (including the Server Lite edition) are affected:
all versions 8.2.2 and below
9.0.0
9.0.1
The following versions of Automation for Jira (A4J) contain the fix for this vulnerability:
8.2.4
9.0.2 or later
If you are upgrading A4J from 8.x to 9.0.x, please take a moment to review the breaking changes in A4J 9.0+ that may affect your existing rules. We recommend validating these changes in a test environment before updating production.
Is there a mitigation for this vulnerability instead of upgrading the Jira / JSW / JSM instance?
As mentioned in the security advisory, if you’re unable to upgrade your product instance to a fixed version, you can mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
The following versions of Automation for Jira(A4J) contain the fix.
8.2.4
9.0.2 or later
If you are upgrading A4J from 8.x to 9.0.x, please take a moment to review the critical changes in A4J 9.0+ that may affect your existing rules. We recommend validating these changes on a test environment before updating the app in production.
Are there any impacts related to updating Automation for Jira without upgrading Jira?
No, upgrading Automation for Jira (A4J) without upgrading Jira is a valid mitigation strategy for this vulnerability. However, please keep in mind that A4J version 9.0+ includes breaking changes related to URLs in configured rules, therefore, please review the major changes that may affect your existing rules. We recommend validating these changes in a test environment before updating the app in production.
These changes are documented in the release notes of the Jira versions in which this version of A4J started being bundled:
Can I update the SnakeYAML library only and stay on the same version of Jira?
Unfortunately, only upgrading the SnakeYaml library on the same Jira instance will not mitigate the vulnerability.
Atlassian strongly recommends updating to the following versions of Jira or upgrading just the Automation for Jira app via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info. This version was also bundled with Jira 9.11+ and JSM 5.11+.
Upgrade Jira
Non-LTS (Long Term Support) versions:
Jira Core/Software 9.11.2/ JSM 5.11.2 or later
LTS (Long Term Support) versions:
Jira Core/Software 9.12.0/JSM 5.12.0 or later
Jira Core/Software 9.4.14/JSM 5.4.14 or later
OR
Upgrade Automation for Jira apps
8.2.4
9.0.2 or later
We are on the supported 8.20 LTS version of Jira, are we impacted?
8.20.X LTS versions of Jira are not affected since A4J wasn’t bundled until version 9+. That said, if you separately installed A4J, there is a potential you are using a vulnerable version.
The following versions of Automation for Jira (A4J) are affected:
all versions 8.2.2 and below
9.0.0
9.0.1
If you have either of these versions installed Atlassian strongly recommends updating to one of the following versions of Automation for Jira (A4J) via the Universal Plugin Manager (UPM) as they contain the fix for this vulnerability:
8.2.4
9.0.2 or later
If you are upgrading A4J from 8.x to 9.0.x, please take a moment to review the breaking changes in A4J 9.0+ that may affect your existing rules. We recommend validating these changes in a test environment before updating the app in production.
Is Jira vulnerable to CVE-2022-1471? Is JSM vulnerable to CVE-2022-1471?
The vulnerability exists in a library used by all versions of the Automation for Jira app (including the Server Lite edition) which we also started bundling in Jira Core / Jira Software 9+ and Jira Service Management 5+.
Atlassian strongly recommends updating to the following versions of Jira or upgrading the Automation for Jira app via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info. This version was also bundled with Jira 9.11+ and JSM 5.11+.
Upgrade Jira
Non-LTS (Long Term Support) versions:
Jira Core/Software 9.11.2/ JSM 5.11.2 or later
LTS (Long Term Support) versions:
Jira Core/Software 9.12.0/JSM 5.12.0 or later
Jira Core/Software 9.4.14/JSM 5.4.14 or later
OR
Upgrade Automation for Jira apps
9.0.2 or later
8.2.4
We are running Jira Server 9.x however we’re not using Automation for Jira or Automation for Jira - Server Lite, are we vulnerable?
Yes, even if you have not licensed the Automation for Jira (A4J) app or have the Automation for Jira - Server Lite, your Jira server can still be vulnerable if it's installed and you're using an affected versions of Jira. The licensing status of the app does not change the vulnerability, it's the presence of the app and the version of the app that matters.
To mitigate this risk, you should
1. Either upgrade your Jira Server instance to one of the fixed versions:
Non-LTS (Long Term Support) versions:
9.11.2 or later
LTS (Long Term Support) versions:
9.12.0 or later
9.4.14 or later
2. OR upgrade the Automation for Jira app via the Universal Plugin Manager (UPM) to a fixed version:
9.0.2 or later
8.2.4
I only have Jira Service Management installed and not Jira Software, am I affected by this CVE?
Yes, your Jira Service Management installation could be affected by this vulnerability. The affected versions of Jira Service Management Data Center and Server are from version 5.4.0 up to 5.11.1.
If your Jira Service Management version falls within this range, you are advised to:
1. Either patch to the following fixed versions:
Non-LTS (Long Term Support) versions:
Jira Core 9.11.2/JSM 5.11.2 or later
LTS (Long Term Support) versions:
Jira Core 9.12.0/JSM 5.12 or later
Jira Core 9.4.14/JSM 5.4.14 or later
2. Or upgrade the Automation for Jira app via the Universal Plugin Manager (UPM) to a fixed version:
9.0.2 or later
8.2.4
Is it possible to mitigate the vulnerability by DISABLING the app Automation for Jira (A4J)?
No, disabling the app will not mitigate the vulnerability. The vulnerability exists within A4J, including the Server Lite edition, which remains present in the system, even if disabled.
Atlassian recommends either of the following actions to mitigate the risk of this vulnerability:
Upgrade your Jira instance instance to one of the fixed versions:
Non-LTS (Long Term Support) versions:
9.11.2 or later
LTS (Long Term Support) versions:
9.12.0 or later
9.4.14 or later
Upgrade the Automation for Jira app via the Universal Plugin Manager (UPM) to a fixed version:
9.0.2 or later
8.2.4
We are on an unsupported version and have no plans to upgrade, what can we do?
The most effective way to address the vulnerability you're facing is to upgrade your Jira instance to a supported version. This will allow you to install the required A4J update and also ensure you can receive future security patches and updates, which are crucial for maintaining a secure system.
As a mitigation, if upgrading Jira isn't immediately feasible, you may consider implementing additional security measures at the network level. This could involve limiting access to your Jira instance to trusted networks and users, which could help reduce the risk of exploitation.
Please note, however, that these measures are temporary and not a full solution. The complete mitigation of the vulnerability can only be achieved by upgrading to a supported version of Jira.
Is it possible to mitigate the vulnerability by UNINSTALLING the app Automation for Jira (A4J)?
The A4J app, including the Server Lite edition, contains the vulnerability. Uninstalling it could potentially erase the vulnerable library. However, A4J is a core plugin, so removing it might disrupt your system. Therefore, we do not recommend uninstalling it as a solution.
Also, deleting files from the plugin artifacts can lead to an unsupported system setup. If any issues arise from this action, you would need to revert to the last operational state in order for us to be able to assist.
Instead, Atlassian firmly suggests these remedies:
Upgrade your Jira instance instance to one of the fixed versions:
Non-LTS (Long Term Support) versions:
9.11.2 or later
LTS (Long Term Support) versions:
9.12.0 or later
9.4.14 or later
Upgrade the A4J app via the Universal Plugin Manager (UPM) to a fixed version:
9.0.2 or later
8.2.4
Bamboo
Bamboo is not vulnerable to CVE-2022-1471 which affects the SnakeYAML library. Bamboo’s implementation of SnakeYAML only allows classes from Bamboo Specs.
If you are looking to satisfy security scanner requirements, Bamboo has a fixed version of the SnakeYAML library available in:
- 9.2.8 or later
9.3.5 or later
9.4.1 or later
If you are interested in upgrading, you can find our Bamboo upgrade guide below:
Bitbucket
What versions of Bitbucket are affected?
All 7.17.x versions
All 7.18.x versions
All 7.19.x versions
All 7.20.x versions
7.21.x versions <= 7.21.15
All 8.0.x versions
All 8.1.x versions
All 8.2.x versions
All 8.3.x versions
All 8.4.x versions
All 8.5.x versions
All 8.6.x versions
All 8.7.x versions
8.8.x versions <= 8.8.6
8.9.x versions <= 8.9.3
8.10.x versions <= 8.10.3
8.11.x versions <= 8.11.2
8.12.0
What versions of Bitbucket contain the fixed library?
7.21.16 or later (LTS)
8.8.7 or later
8.9.4 or later (LTS)
8.10.4 or later
8.11.3 or later
8.12.1 or later
8.13.0 or later
8.14.0 or later
8.15.0 or later
8.16.0 or later
What versions of Bitbucket Server and Data Center are affected?
We understand you are interested in more information on the CVE related to the SnakeYAML library CVE-2022-1471.
Our security team has assessed this vulnerability and so far weren't able to determine if there is an exploit path in Bitbucket. We are still checking if any exploits are possible and will update our security blog should any exploit paths be found in Bitbucket. Regardless, we have updated the SnakeYAML library in Bitbucket and released supported versions with the fix.
Affected Versions
7.17.0 to 7.17.21
7.18.0 to 7.18.4
7.19.0 to 7.19.5
7.20.0 to 7.20.3
7.21.0 to 7.21.15
8.0.0 to 8.0.5
8.1.0 to 8.1.5
8.2.0 to 8.2.4
8.3.0 to 8.3.4
8.4.0 to 8.4.4
8.5.0 to 8.5.4
8.6.0 to 8.6.4
8.7.0 to 8.7.5
8.8.0 to 8.8.6
8.9.0 to 8.9.3
8.10.0 and 8.10.3
8.11.0 to 8.11.2
8.12.0
Current limitations with patched versions of Bitbucket and bundled Elasticsearch/ Opensearch
The following Bitbucket versions include a patched version 2.0 of SnakeYAML library and are not directly affected. However, they bundle an Opensearch version that includes an affected version (1.2.6, 1.30 to 1.32) of SnakeYAML library:
7.21.12 to 7.21.15
8.7.4 to 8.7.5
8.8.6
8.9.1 to 8.9.3
8.10.0 to 8.10.3
8.11.0 to 8.11.2
8.12.0
Current limitations with Bitbucket 7.17.17 to 7.17.20 fixed versions and bundled Elasticsearch
Bitbucket 7.17.17 to 7.17.20 were patched with the SnakeYAML 2.0. However, Bitbucket 7.17.x bundles an Elasticsearch version that include the affected library. Due to the changes in how Elasticsearch is licensed (paid model), Atlassian was unable to include a patched version of Elasticsearch in Bitbucket 7.17.x fixed versions.
If you are running Bitbucket 7.17.x using the bundled Elasticsearch, we strongly encourage to upgrade to 7.21.16+ (or any 8.X fixed version) because 7.17.x has already reached its end of life per the Atlassian Support End of Life Policy. Bitbucket 7.21.16+ bundles Opensearch (open source) and both applications have been patched to SnakeYAML 2.0 library.
Fixed versions (including Bitbucket and Opensearch)
7.21.16 or later - LTS (Long Term Support)
8.8.7 or later
8.9.4 or later - LTS
8.10.4 or later
8.11.3 or later
8.12.1 or later
8.13.0 or later
8.14.0 or later
8.15.0 or later
8.16.0 or later
What you need to do
Read more about the potential impact of CVE-2022-1471 vulnerability.
Upgrade Bitbucket to a fixed version from the list above
See Bitbucket Upgrade Guide for more information on how to upgrade.
If you need help with upgrading Bitbucket to a fixed version feel free to open a new support ticket (or let us know if we should open one on your behalf).
Testing
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see How to establish staging server environments for Bitbucket Server.
Can we determine if Bitbucket has already been compromised?
We understand you are interested in more information on the CVE related to the SnakeYAML library CVE-2022-1471 and if your instance was compromised.
Unfortunately, Atlassian cannot confirm if a Bitbucket instance has been compromised.
Atlassian suggests you involve your local security team or a specialist security forensics firm for further investigation.
Atlassian also recommends checking the integrity of the Bitbucket filesystem, for example comparison of artifacts in their current state with recent backups to see if there are any unexpected differences.
All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files (such as syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.
Are Bitbucket Mirrors affected?
We understand you are interested in more information on the CVE related to the SnakeYAML library, CVE-2022-1471.
Yes, Bitbucket Mirrors include the affected SnakeYAML library.
What you need to do
Read more about the potential impact of CVE-2022-1471 vulnerability.
Upgrade Bitbucket Mirror to a fixed version from the list above
See Bitbucket Upgrade Guide for more information on how to upgrade.
If you need help with upgrading Bitbucket to a fixed version feel free to open a new support ticket (or let us know if we should open one on your behalf).
Fixed Versions (including Bitbucket and Opensearch)
The following are the versions that include a patched and update version of the SnakeYAML library (2.0):
7.21.16 or later - LTS (Long Term Support)
8.8.7 or later
8.9.4 or later - LTS
8.10.4 or later
8.11.3 or later
8.12.1 or later
8.13.0 or later
8.14.0 or later
8.15.0 or later
8.16.0 or later
Current limitations with patched versions of Bitbucket and bundled Elasticsearh/Opensearch
The following Bitbucket versions include a patched version 2.0 of SnakeYAML library and are not directly affected. However, they bundle an Opensearch version that includes an affected version (1.2.6, 1.30 to 1.32) of SnakeYAML library.
7.21.12 to 7.21.15
8.7.4 to 8.7.5
8.8.6
8.9.1 to 8.9.3
8.10.0 to 8.10.3
8.11.0 to 8.11.2
8.12.0
If you are running Bitbucket on a version listed above and cannot immediately update the Bitbucket Mirror to a patched version for both Bitbucket and Opensearch, you can safely delete the /opensearch directory from the Bitbucket Mirror.
If you need help with upgrading Bitbucket Mirror to a fixed version feel free to open a new support ticket (or let us know if we should open one on your behalf).
Are Bitbucket Mesh nodes affected?
We understand you are interested in more information on the SnakeYAML library CVE-2022-1471 on Bitbucket Mesh nodes.
Bitbucket Mesh nodes are not directly affected, because they are located behind another Bitbucket instance and should not be available publicly. However, some versions of Bitbucket Mesh include an affected version of SnakeYaml library.
The following Bitbucket Mesh versions are affected
All Bitbucket Mesh 1.0.X versions
All Bitbucket Mesh 1.1.X versions
All Bitbucket Mesh 1.2.X versions
All Bitbucket Mesh 1.3.X versions
Bitbucket Mesh 1.4.0 and 1.4.1
Bitbucket Mesh 1.5.0 and to 1.5.1
Bitbucket Mesh 1.5.0 and 1.5.1
Bitbucket Mesh 2.0.0 and 2.0.1
Fixed Mesh versions
Bitbucket Mesh 1.4.2 or later
Bitbucket 1.5.2 or later
Bitbucket 2.0.2 or later
Bitbucket 2.1.2 or later
Bitbucket 2.2.0 or later
What you need to do
Read more about the potential impact of CVE-2022-1471 vulnerability.
Upgrade Bitbucket Mesh to a fixed version from the list above
If you need help with upgrading Bitbucket Mesh to a fixed version feel free to open a new support ticket (or let us know if we should open one on your behalf).
If upgrade is not immediately possible, make sure that Bitbucket Mesh nodes and Bitbucket DC nodes are not publicly available on the internet.
Testing
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see How to establish staging server environments for Bitbucket Server.
What are my options for securing this app?
Upgrade Bitbucket to a fixed version.
Upgrading Bitbucket to a fixed version listed in the [security advisory|Link to sec advisory or bulletin] is the surest way to remediate CVE-2022-1471. Once a fixed version has been installed, no further action is required.
Fixed versions include:
7.21.16 or later - LTS (Long Term Support)
8.8.7 or later
8.9.4 or later - LTS
8.10.4 or later
8.11.3 or later
8.12.1 or later
8.13.0 or later
8.14.0 or later
8.15.0 or later
8.16.0 or later
I am running a patched version of Bitbucket with an external Opensearch/Elasticsearch. Can I delete the opensearch/Elasticsearch Directory from Bitbucket?
Yes, if you are running an external Opensearch/Elasticsearch service, it is safe to delete the opensearch/elasticsearch directory from Bitbucket installation directory.
You can find the directory in the following places in your environment:
<$BITBUCKET_INSTALL>/elasticsearch
<$BITBUCKET_INSTALL>/opensearch
Just to be on the safe side, please make sure to take a backup before removing the directory.
I am running an external Opensearch/Elasticsearch service. Do I need to update them?
We understand you are interested in more information on the SnakeYAML Library CVE-2022-1471 and would like more details about your external Opensearch/Elasticsearch service.
If you are running a version that is affected by this vulnerability, you would need to update the external Opensearch/Elasticsearch service.
If you have any questions about how to upgrade the external Opensearch/Elasticsearch we would strongly encourage you to reach out to the vendor for additional assistance. Atlassian can only offer guidance or support for Bitbucket.
Can I update the SnakeYAML library only and stay on the same version of Bitbucket?
We understand you are interested in more information on the SnakeYAML library CVE-2022-1471 and would like to only upgrade the SnakeYAML library in your Bitbucket version.
Unfortunately, that is not possible. The compatibility matrix is specific to the versions listed. The app was patched and tested with only the supported versions so we can’t confirm the fix will work in non-supported versions.
The best approach is to update Bitbucket to a fixed version following the guidance in the Bitbucket Data Center and Server upgrade guide.