FAQ for CVE-2022-26135
General Information
A high severity vulnerability in Jira's Mobile Plugin for Jira app, Full Read SSRF (CVE-2022-26135), has been discovered. Read more about Jira Server and Data Center - Full Read SSRF - CVE-2022-26135.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.
My instance doesn't have sign-ups enabled. Is an upgrade still recommended?
Yes! While having tighter control over new user accounts also reduces the attack surface for this vulnerability, internal users accounts are still a vector for attack so we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.
What are my options for securing this app?
Install a fixed version of Jira or Jira Service Management
Installing a fixed version listed in the security advisory is the surest way to remediate CVE-2022-26135. Once a fixed version has been installed, no further action is required.
Fixed versions include:
Jira Core Server, Jira Server, and Jira Software Data Center:
8.13.x >= 8.13.22
8.20.x >= 8.20.10
8.22.x >= 8.22.4
9.0.0
Jira Service Management Server and Data Center:
4.13.x >= 4.13.22
4.20.x >= 4.20.10
4.22.x >= 4.22.4
5.0.0
If updating to a fixed version isn't immediately possible
Update the app
Use the instructions on the security advisory to update the app. Version compatibility is as follows:
| Jira Versions | Mobile Plugin for Jira |
|---|---|
Jira Core Server and Jira Server & Data Center
Jira Service Management Server & Data Center
| 3.2.15 |
Jira Server & Data Center
Jira Service Management Server & Data Center
| 3.1.5
If you’re either on Jira 8.13.x or JSM 4.13.x and have previously upgraded beyond the default app version of 3.1.x, upgrading to 3.1.5 will effectively roll back any bug-fixes and features introduced in later versions. |
Scenario A: User-installed apps
If you find the “Mobile Plugin for Jira” app located in the User-installed apps section, you can just click Update to get the latest version.
Scenario B: System apps
If you find the “Mobile Plugin for Jira” app located in the System apps section, follow these instructions to manually update the app (no restart required!):
Download a fixed version of the app (you’ll save this as a
JARfile) from the Atlassian Marketplace that is compatible with your Jira versionDuring a maintenance window:
Navigate to Admin > Manage Apps
Select Upload app
Select the JAR file you downloaded in Step 1
After the install, the new version will be displayed as a user-installed app instead of a system app.
The previous JAR file can remain in the directory <Jira Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins without further action.
Disable the app
The Mobile Plugin for Jira app is in a special category of System Apps such that it can be disabled similarly to User-installed apps. Use the "Disable" button on the app to mitigate the vulnerability until you can upgrade Jira.
Can I install the JAR file in my Jira version even if it isn’t supported and be protected?
No, the compatibility matrix is specific to the versions listed. The app was patched and tested with only the supported versions so we can’t confirm the fix will work in non-supported versions.
The warning panel in Jira says disabling System apps, "will have serious effects”. Can I really disable this app?
Yes, you can disable the app. Disabling the app will only have the consequence of the preventing the iOS/Android mobile app from working. If your team isn't using the mobile app, you can safely disable the app.