FAQ for CVE-2022-26135

Atlassian Knowledge Base

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

General Information

A high severity vulnerability in Jira's Mobile Plugin for Jira app, Full Read SSRF (CVE-2022-26135), has been discovered. Read more about Jira Server and Data Center - Full Read SSRF - CVE-2022-26135.

This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.

Are Cloud instances affected?

No, Atlassian cloud instances are not vulnerable and no customer action is required. 

My instance isn't exposed to the Internet. Is an upgrade still recommended?

Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.

My instance doesn't have sign-ups enabled. Is an upgrade still recommended?

Yes! While having tighter control over new user accounts also reduces the attack surface for this vulnerability, internal users accounts are still a vector for attack so we always recommend upgrading when security fixes are available. We try to provide as much information as possible so that customers can determine the scope and impact. It's ultimately up to each customer to consider this information when determining whether mitigating factors, like no external access to the instance, reduces the risk to their business enough to defer installing an upgrade.

What are my options for securing this app?

Install a fixed version of Jira or Jira Service Management

Installing a fixed version listed in the security advisory is the surest way to remediate CVE-2022-26135. Once a fixed version has been installed, no further action is required.

Fixed versions include:

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • 8.13.x >= 8.13.22

  • 8.20.x >= 8.20.10

  • 8.22.x >= 8.22.4

  • 9.0.0

Jira Service Management Server and Data Center:

  • 4.13.x >= 4.13.22

  • 4.20.x >= 4.20.10

  • 4.22.x >= 4.22.4

  • 5.0.0

If updating to a fixed version isn't immediately possible

Update the app

Use the instructions on the security advisory to update the app. Version compatibility is as follows:


Jira VersionsMobile Plugin for Jira

Jira Core Server and Jira Software Server & Data Center

  • 8.22.X
  • 8.21.X
  • 8.20.X

Jira Service Management Server & Data Center

  • 4.22.X
  • 4.21.X
  • 4.20.X
3.2.15

Jira Software Server & Data Center

  • 8.13.X

Jira Service Management Server & Data Center

  • 4.13.X

3.1.5 

(warning) 

If you’re either on Jira 8.13.x or JSM 4.13.x and have previously upgraded beyond the default app version of 3.1.x, upgrading to 3.1.5 will effectively roll back any bug-fixes and features introduced in later versions.


Scenario A: User-installed apps

If you find the “Mobile Plugin for Jira” app located in the User-installed apps section, you can just click Update to get the latest version.

Scenario B: System apps

If you find the “Mobile Plugin for Jira” app located in the System apps section, follow these instructions to manually update the app (no restart required!):

  1. Download a fixed version of the app (you’ll save this as a JAR file) from the Atlassian Marketplace that is compatible with your Jira version

  2. During a maintenance window:

    1. Navigate to Admin > Manage Apps

    2. Select Upload app

    3. Select the JAR file you downloaded in Step 1

  3. After the install, the new version will be displayed as a user-installed app instead of a system app.

The previous JAR file can remain in the directory <Jira Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins without further action.

Disable the app

The Mobile Plugin for Jira app is in a special category of System Apps such that it can be disabled similarly to User-installed apps. Use the "Disable" button on the app to mitigate the vulnerability until you can upgrade Jira.

Can I install the JAR file in my Jira version even if it isn’t supported and be protected?

No, the compatibility matrix is specific to the versions listed. The app was patched and tested with only the supported versions so we can’t confirm the fix will work in non-supported versions.

The warning panel in Jira says disabling System apps, "will have serious effects”. Can I really disable this app?

Yes, you can disable the app. Disabling the app will only have the consequence of the preventing the iOS/Android mobile app from working. If your team isn't using the mobile app, you can safely disable the app. 


Last modified on Jun 29, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.