Action Required: RCE Vulnerabilities Identified in Multiple Products

Links are broken!!

@Alberto Yufra The links are working now.

Thanks for fixing the links!

So how exploitable is the SnakeYAML issues on a private instance? It's not like we're letting strangers parse/upload YAML.

How did Atlassian allow CVE-2022-1471 to remain in these products for a full year after that CVE was released?

This should have been picked up by any respectable package scanner a long time ago.

@Andy Heinzer - for clarification, on CVE-2022-1471, it looks as though Jira Software versions <9.0 are not impacted except through the Automation for Jira (A4J) or Automation for JIra (A4J) - Server Lite Marketplace apps, so if one is running Jira Software <9.0, one only needs to update the relevant Marketplace app, is that correct? 

@Bryan Guffey Yes that is correct.

@Bryan Guffey   @Andy Heinzer   Looking at the Affected Version List - seems like versions less than 9.4 of JIRA Software is not impacted and not less than 9.0 ?

My Server products maintenance has been renewed every year since 2009 but it expired in Oct 2022 as I can see that support for Server products will end on Feb. 15, 2024.

Is there any way to provide security updates for security vulnerabilities that existed for years prior which affects all versions but only found and fixed in the latest release in 2023 without having to pay up to USD$3000 for each product to access the latest updates?

Some of these security flaws existed for the whole time I paid maintenance for the last 13 years!

@Leo Leung While some of the CVEs have mitigations you can apply without an update, in order to resolve the vulnerability properly we typically have to create an updated version. We do not have a means grant these security fixes to expired licenses.  In order to apply these updated versions, you need to have a current and valid license applied to that product.  Our Software License Agreement explains that access to these updates is only provided to you during he period for which you paid:

6.1. Support and Maintenance. During the period for which you have paid the applicable Support and Maintenance fee, Atlassian will provide Support and Maintenance for the Software in accordance with the Atlassian Support Policy and Enterprise Support and Services Policy (if applicable).  Support and Maintenance for Software includes access to New Releases, if and when available, and any references to “Software” in this Agreement include New Releases.

You could renew your existing server license, but if I recall correctly, when renewing an expired license you still have to cover the period in between the expiration date and now, and furthermore, in regards to server license renewals, these can only be renewed until February 2024.

Alternatively, you could try to generate a Data Center evaluation on our https://my.atlassian.com however please be aware that when an eval or Data Center license expires, the product will stop working (this is different than your commercial server license, when that expires you can still use the product, but you are unable to obtain/apply updated versions released after that license expiration).  Also applying data center licenses to an existing server install could at least let you perform the upgrade, it might complicate the licensing of plugins/apps that might have different terms between server and data center editions.