CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products
Summary | CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products |
Advisory Release Date | Tue, Dec 05 2023 21:00 PST |
Products |
|
CVE ID | CVE-2022-1471 |
Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
Severity
Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This RCE (Remote Code Execution) vulnerability affects all versions listed in the table below.
Atlassian recommends patching to the latest version or a fixed LTS version.
Product | Affected Versions |
---|---|
Automation for Jira (A4J) Marketplace App Automation for Jira (A4J) - Server Lite Marketplace App |
|
Bitbucket Data Center and Server |
|
Confluence Data Center and Server |
|
Confluence Cloud Migration App (CCMA) |
|
Jira Core Data Center and Server Jira Software Data Center and Server |
|
Jira Service Management Data Center and Server |
|
What You Need To Do
Atlassian recommends that you patch each of your affected product installations to the latest version or one of the listed fixed versions below.
Product | Action |
---|---|
Automation for Jira (A4J) Marketplace App Automation for Jira (A4J) - Server Lite Marketplace App | Patch to the following fixed versions or later
Mitigation(s) Upgrade via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info.
|
Bitbucket Data Center and Server | Patch to the following fixed versions or later
Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. |
Confluence Data Center and Server | Patch to the following fixed versions or later
Fixed in the following versions The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities. Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. |
Confluence Cloud Migration App (CCMA) | Patch to the following fixed version or later
Mitigation(s) There is no mitigation for this vulnerability. Please upgrade immediately. |
Jira Core Data Center and Server Jira Software Data Center and Server | Patch to the following fixed versions or later
Mitigation(s) If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+).
|
Jira Service Management Data Center and Server | Patch to the following fixed versions or later
Upgrading Jira to a fixed version is also required. Mitigation(s) If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
See breaking changes in A4J 9.0+ for more info (also bundled with JSM 5.11+).
|
For a full description of the latest versions, see the release notes for your product below.
- Automation for Jira (A4J) Marketplace App
- Bitbucket Data Center and Server
- Confluence Data Center and Server
- Confluence Cloud Migration App (CCMA)
- Jira Core Data Center and Server
- Jira Service Management Data Center and Server
- Jira Software Data Center and Server
You can download the latest version for your product from the download center:
- Automation for Jira (A4J) Marketplace App (Jira/JSW 9+ & JSM 5+ upgrade via Universal Plugin Manager (UPM))
- Bitbucket Data Center and Server
- Confluence Data Center and Server
- Confluence Cloud Migration App (CCMA)
- Jira Core Data Center and Server
- Jira Service Management Data Center and Server
- Jira Software Data Center and Server
Related Tickets
Frequently Asked Questions
More details can be found on the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/contact/#/.
References
Security Bug Fix Policy | As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
Security Levels for Security Issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |