CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products

Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

SummaryCVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products
Advisory Release DateTue, Dec 05 2023 21:00 PST
Products
  • Automation for Jira app (including Server Lite edition)
  • Bitbucket Data Center
  • Bitbucket Server
  • Confluence Data Center
  • Confluence Server
  • Confluence Cloud Migration App
  • Jira Core Data Center
  • Jira Core Server
  • Jira Service Management Data Center
  • Jira Service Management Server
  • Jira Software Data Center
  • Jira Software Server
CVE IDCVE-2022-1471

Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Severity

Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

This RCE (Remote Code Execution) vulnerability affects all versions listed in the table below.

Atlassian recommends patching to the latest version or a fixed LTS version.

ProductAffected Versions

Automation for Jira (A4J) Marketplace App

Automation for Jira (A4J) - Server Lite Marketplace App

  • 9.0.1

  • 9.0.0

  • <= 8.2.2

Bitbucket Data Center and Server
  • 7.17.x
  • 7.18.x
  • 7.19.x

  • 7.20.x

  • 7.21.0
  • 7.21.1
  • 7.21.2
  • 7.21.3
  • 7.21.4
  • 7.21.5
  • 7.21.6
  • 7.21.7
  • 7.21.8
  • 7.21.9
  • 7.21.10
  • 7.21.11
  • 7.21.12
  • 7.21.13
  • 7.21.14
  • 7.21.15
  • 8.0.x

  • 8.1.x

  • 8.2.x

  • 8.3.x

  • 8.4.x

  • 8.5.x

  • 8.6.x

  • 8.7.x
  • 8.8.0
  • 8.8.1
  • 8.8.2
  • 8.8.3
  • 8.8.4
  • 8.8.5
  • 8.8.6
  • 8.9.0
  • 8.9.1
  • 8.9.2
  • 8.9.3
  • 8.10.0
  • 8.10.1
  • 8.10.2
  • 8.10.3
  • 8.11.0
  • 8.11.1
  • 8.11.2
  • 8.12.0
Confluence Data Center and Server
  • 6.13.x

  • 6.14.x

  • 6.15.x

  • 7.0.x

  • 7.1.x

  • 7.2.x

  • 7.3.x

  • 7.4.x

  • 7.5.x

  • 7.6.x

  • 7.7.x

  • 7.8.x

  • 7.9.x

  • 7.10.x

  • 7.11.x

  • 7.12.x

  • 7.13.0

  • 7.13.1

  • 7.13.2

  • 7.13.3

  • 7.13.4

  • 7.13.5

  • 7.13.6

  • 7.13.7

  • 7.13.8

  • 7.13.9

  • 7.13.10

  • 7.13.11

  • 7.13.12

  • 7.13.13

  • 7.13.14

  • 7.13.15

  • 7.13.16

  • 7.13.17

  • 7.14.x

  • 7.15.x

  • 7.16.x

  • 7.17.x

  • 7.18.x

  • 7.19.0

  • 7.19.1

  • 7.19.2

  • 7.19.3

  • 7.19.4

  • 7.19.5

  • 7.19.6

  • 7.19.7

  • 7.19.8

  • 7.19.9

  • 7.20.x

  • 8.0.x

  • 8.1.x

  • 8.2.x

  • 8.3.0

Confluence Cloud Migration App (CCMA)

Jira Core Data Center and Server

Jira Software Data Center and Server

  • 9.4.0

  • 9.4.1

  • 9.4.2

  • 9.4.3

  • 9.4.4

  • 9.4.5

  • 9.4.6

  • 9.4.7

  • 9.4.8

  • 9.4.9

  • 9.4.10

  • 9.4.11

  • 9.4.12

  • 9.5.x

  • 9.6.x

  • 9.7.x

  • 9.8.x

  • 9.9.x

  • 9.10.x

  • 9.11.0

  • 9.11.1

Jira Service Management Data Center and Server
  • 5.4.0

  • 5.4.1

  • 5.4.2

  • 5.4.3

  • 5.4.4

  • 5.4.5

  • 5.4.6

  • 5.4.7

  • 5.4.8

  • 5.4.9

  • 5.4.10

  • 5.4.11

  • 5.4.12

  • 5.5.x

  • 5.6.x

  • 5.7.x

  • 5.8.x

  • 5.9.x

  • 5.10.x

  • 5.11.0

  • 5.11.1

What You Need To Do

Atlassian recommends that you patch each of your affected product installations to the latest version or one of the listed fixed versions below.

ProductAction

Automation for Jira (A4J) Marketplace App

Automation for Jira (A4J) - Server Lite Marketplace App

Patch to the following fixed versions or later

  • 9.0.2

  • 8.2.4

Mitigation(s)

Upgrade via the Universal Plugin Manager (UPM).

See breaking changes in A4J 9.0+ for more info.
Bitbucket Data Center and Server

Patch to the following fixed versions or later

  • 7.21.16 (LTS)

  • 8.8.7

  • 8.9.4 (LTS)

  • 8.10.4 

  • 8.11.3 

  • 8.12.1 

  • 8.13.0

  • 8.14.0

  • 8.15.0 (Data Center Only)

  • 8.16.0 (Data Center Only)

Mitigation(s)

There is no mitigation for this vulnerability. Please upgrade immediately.

Confluence Data Center and Server

Patch to the following fixed versions or later

  • 7.19.17(LTS) 
  • 8.4.5
  • 8.5.4(LTS)
  • 8.6.2 (Data Center Only)
  • 8.7.1 (Data Center Only)

Fixed in the following versions

The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities.

Mitigation(s)

There is no mitigation for this vulnerability. Please upgrade immediately.

Confluence Cloud Migration App (CCMA)

Patch to the following fixed version or later

  • 3.4.0

Mitigation(s)

There is no mitigation for this vulnerability. Please upgrade immediately.

Jira Core Data Center and Server

Jira Software Data Center and Server

Patch to the following fixed versions or later

  • 9.11.2

  • 9.12.0 (LTS)

  • 9.4.14 (LTS)

Mitigation(s)

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+).

Jira Service Management Data Center and Server

Patch to the following fixed versions or later

  • 5.11.2 

  • 5.12.0 (LTS)

  • 5.4.14 (LTS)

Upgrading Jira to a fixed version is also required.

Mitigation(s)

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

See breaking changes in A4J 9.0+ for more info (also bundled with JSM 5.11+).

For a full description of the latest versions, see the release notes for your product below.

You can download the latest version for your product from the download center:

Related Tickets

Frequently Asked Questions

More details can be found on the Frequently Asked Questions (FAQ) page.

Support

If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/contact/#/.

References

Security Bug Fix PolicyAs per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Security Levels for Security IssuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details.
Last modified on Dec 6, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.