FAQ for CVE-2022-22965
A critical remote code execution vulnerability in Spring Framework, CVE-2022-22965, has been discovered. As per Spring’s security advisory, this vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9 and higher.
This page contains frequently asked questions and answers about “CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+”. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, instances of our products hosted on Atlassian’s cloud are not vulnerable to any known exploit, and no customer action is required. Our analysis has not identified any compromise of Atlassian systems or customer data. Out of an abundance of caution, services using impacted versions of Spring are being patched as a priority in case new attack vectors are discovered.
Are self-managed Server/Data Center products affected?
Ongoing investigation has identified the following on-premises products as being vulnerable when a narrow set of pre-conditions are met:
Bamboo Server and Data Center
Confluence Server and Data Center
Jira Software Server and Data Center
Jira Service Management Server and Data Center
All the following pre-conditions must be met for successful exploitation:
The product is running on JDK 9 or higher,
An attacker tricks a user into making a malicious HTTP request,
The request contains a valid Cross-Site Request Forgery token (note that the same-origin policy prevents an attacker from obtaining a user’s valid token),
The targeted user is logged into the application with ‘system administrator’ privileges.
Jira and Confluence only: The targeted user also has an active ‘secure administrator session’ (note that these sessions only last for 10 minutes by default).
Products will be updated in accordance with our Data Center and Server Bug Fix Policy.
The following self-managed products use impacted versions of Spring but are not vulnerable to any known exploit:
Bitbucket Server and Data Center
Out of an abundance of caution, these products will be updated in accordance with our Data Center and Server Bug Fix Policy.
The following self-managed products do not use Spring and will not require patching:
Sourcetree for Mac
Sourcetree for Windows
Are there any interim solutions to mitigate this vulnerability until patches are available?
Customers with impacted on-premises products can downgrade from running JDK 9 or higher to JDK 8 or lower. This will eliminate the possibility of exploitation. These instructions can be used for changing the version of Java for Jira and Confluence:
- Jira: https://confluence.atlassian.com/jirakb/change-the-java-version-used-by-jira-server-765594330.html
- Confluence: https://confluence.atlassian.com/doc/change-the-java-vendor-or-version-confluence-uses-962342397.html
Alternatively (Jira only), we’ve released these new versions with an upgraded version of Tomcat which also serves to mitigate this issue:
Are Marketplace apps affected?
Our Security team has completed its investigation and scanning of all Cloud, Server, and Data Center apps in the Atlassian Marketplace to determine if they are vulnerable to CVE-2022-22965.
Only a few cloud apps were found to be exploitable. Each of the affected cloud apps have been hidden from the Atlassian Marketplace. Additionally, Atlassian has temporarily disabled these apps from usage on all cloud instances until the partner remediates the vulnerability.
Data Center and Server Apps
Our investigation identified that some of Server and Data Center apps utilize the vulnerable version of the Spring Framework. However, we do not believe any of them are vulnerable to exploitation based on the pre-conditions required for exploitation. Out of an abundance of caution, we are reaching out to each partner and requiring them to upgrade their Spring Framework to the fixed version within the timeframe specified by our Security Bug Fix Policy.
Please note that apps that are not listed on the Atlassian Marketplace are not being reviewed by Atlassian. Customers should contact these developers directly for information on this CVE in their apps.
Where can app developers find more information?
Are Atlassian products vulnerable to CVE-2022-22963?
CVE-2022-22963 is a vulnerability in the Spring Cloud Function package, and is unrelated to the subsequently published CVE-2022-22965. Atlassian cloud instances and on-premises products are not vulnerable to any known exploit for CVE-2022-22963.