Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574
Summary | CVE-2021-42574 - Unrendered unicode bidirectional override characters in multiple products |
---|---|
Advisory Release Date | 1 November 2021 12 AM UTC (Coordinated Universal Time, +0 hours) |
Products |
|
Affected Versions | Bamboo Server and Data Center
Bitbucket Server and Data Center
Confluence Server and Data Center
Crucible
Fisheye
Jira Service Management Server and Data Center
Insight Asset Management (Marketplace app for Jira Service Management)
Jira Software Server and Data Center (including Jira Core)
|
Fixed Versions | Bamboo Server and Data Center
Bitbucket Server and Data Center
Confluence Server and Data Center
Crucible
Fisheye
Jira Service Management Server and Data Center
Insight Asset Management (Marketplace app for Jira Service Management)
Jira Software Server and Data Center (including Jira Core)
|
CVE ID |
Summary of Vulnerability
This advisory discloses a high severity security vulnerability which was introduced in multiple product versions as enumerated below:
Bamboo Server and Data Center
All versions before 8.0.4
Bitbucket Server and Data Center
All versions before 6.10.14
All versions between 7.0.0 and 7.5.2 (inclusive)
All 7.6.x LTS versions before 7.6.10
All versions between 7.7.0 and 7.16.1 (inclusive)
All 7.17.x LTS versions before 7.17.1
Confluence Server and Data Center
All versions before 7.4.13
All versions between 7.5.0 and 7.12.5 (inclusive)
All 7.13.x LTS versions before 7.13.2
Version 7.14.0
Crucible
All versions before 4.8.8
Fisheye
All versions before 4.8.8
Jira Service Management Server and Data Center
All versions before 4.13.13
All versions between 4.14.0 and 4.19.1 (inclusive)
All 4.20.x LTS versions before 4.20.1
Insight Asset Management (Marketplace app for Jira Service Management)
All versions before 8.9.4
Jira Software Server and Data Center (including Jira Core)
All versions before 8.13.13
All versions between 8.14.0 and 8.19.1 (inclusive)
All 8.20.x LTS versions before 8.20.1
For information on how this affects Atlassian Cloud sites, see CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites
If your Atlassian site is accessed via an atlassian.net
domain, it is an Atlassian Cloud site.
Customers who have upgraded to a version listed under Fixed Versions in the table above are not affected.
Customers who have downloaded and installed a version listed under Affected Versions in the table above, please upgrade your installations immediately to fix this vulnerability.
CVE-2021-42574 - Unicode bidirectional override character trojan source attack
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Acknowledgements
The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. Details are disclosed at CVE-2021-42574.
Fix
We have taken the following steps to address this issue:
Released Bamboo Server and Data Center version 8.0.4 that contains a fix for this issue.
Released Bitbucket Server and Data Center versions 6.10.14, 7.6.10, and 7.17.1 that contains a fix for this issue.
Released Confluence Server and Data Center versions 7.4.13, 7.13.2, and 7.14.1 that contains a fix for this issue.
Released Crucible version 4.8.8 that contains a fix for this issue.
Released Fisheye version 4.8.8 that contains a fix for this issue.
Released Insight Asset Management marketplace app version 8.9.4 that contains a fix for this issue.
Released Jira Service Management Server and Data Center versions 4.13.13, and 4.20.1 that contains a fix for this issue.
Released Jira Software Server and Data Center versions 8.13.13, and 8.20.1 that contains a fix for this issue.
What you need to do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
- Bamboo Server and Data Center release notes
- Bitbucket Server and Data Center release notes
Jira Service Management Server and Data Center release notes
You can download the latest version of your product from the download center:
Upgrade to the version recommended below or higher.
Product | Action |
---|---|
Bamboo Server and Data Center | Upgrade to 8.0.4 or higher |
Bitbucket Server and Data Center | Upgrade to 7.17.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. |
Confluence Server and Data Center | Upgrade to 7.13.2 LTS or higher 7.13.x version If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. If you’re running 7.14.0, upgrade to 7.14.1 or higher |
Crucible | Upgrade to 4.8.8 or higher |
Fisheye | Upgrade to 4.8.8 or higher |
Insight Asset Management app | Upgrade the app to 8.9.4 or higher This is only required if you’ve installed Insight Asset Management from the Marketplace. |
Jira Software Server and Data Center (including Jira Core) | Upgrade to 8.20.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. |
Jira Service Management Server and Data Center | Upgrade to 4.20.1 LTS or higher If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above. |
Mitigation
The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.
Here's an example of the message when viewing a Confluence Data Center page with a code block.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, check our Frequently asked questions for CVE-2021-42574, or raise a support request at https://support.atlassian.com/.
References
Security Bug Fix Policy | As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |