English
Contents

German
Inhalte

French
Contenu

Table of Contents

Page properties

Date	20 Jul 2022
Product	Bamboo Server and Data Center Bitbucket Server and Data Center Confluence Server and Data Center Crowd Server and Data Center Fisheye and Crucible Jira Server and Data Center Jira Service Management Server and Data Center
Vulnerability	Critical
CVE	CVE-2022-26136, CVE-2022-26137, CVE-2022-26138
Official link	Multiple Products Security Advisory - 2022-07-20 Questions For Confluence App Security Advisory- CVE-2022-26138

Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137, CVE-2022-26138

English

Dear customer,

on the 20th of July 2022 10 PM CEST, Atlassian issued two Security Advisories for it's on-premise software products and the Confluence app Questions for Confluence. The Cloud versions of the applications are not affected.

What you need to know

Atlassian has been made aware of a critical vulnerability in their on-premise software products via Arbitrary Servlet Filter Bypass and Additional Servlet Filter Invocation. Further details about the vulnerability are available in Multiple Products Security Advisory - 2022-07-20. The only current way to secure the applications, is updating to fixed versions.

Additionally Atlassian disclosed a vulnerability in the app Questions for Confluence due to a systemuser with harcoded user credentials. Further details on the vulnerability can be found in Questions For Confluence App Security Advisory - 2022-07-20. Updating Questions for Confluence fixes this vulnerability.

Affected Versions

Product	Affected Versions
Bamboo Server and Data Center	Versions < 8.0.9 8.1.x < 8.1.8 8.2.x < 8.2.4
Bitbucket Server and Data Center	Versions < 7.6.16 All versions 7.7.x through 7.16.x 7.17.x < 7.17.8 All versions 7.18.x 7.19.x < 7.19.5 7.20.x < 7.20.2 7.21.x < 7.21.2 8.0.0 8.1.0
Confluence Server and Data Center	Versions < 7.4.17 All versions 7.5.x through 7.12.x 7.13.x < 7.13.7 7.14.x < 7.14.3 7.15.x < 7.15.2 7.16.x < 7.16.4 7.17.x < 7.17.4 7.18.0
Crowd Server and Data Center	Versions < 4.3.8 4.4.x < 4.4.2 5.0.0
Crucible	Versions < 4.8.10
Fisheye	Versions < 4.8.10
Jira Server and Data Center	Versions < 8.13.22 All versions 8.14.x through 8.19.x 8.20.x < 8.20.10 All versions 8.21.x 8.22.x < 8.22.4
Jira Service Management Server and Data Center	Versions < 4.13.22 All versions 4.14.x through 4.19.x 4.20.x < 4.20.10 All versions 4.21.x 4.22.x < 4.22.4
Questions for Confluence	Any versions 2.7.x and 3.0.x may be affected, refer to What should I do?

Fixed Versions

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.

Product	Fixed Versions
Bamboo Server and Data Center	>= 8.0.9 >= 8.1.8 >= 8.2.4 >= 9.0.0
Bitbucket Server and Data Center	>= 7.6.16 (LTS) >= 7.17.8 (LTS) >= 7.19.5 >= 7.20.2 >= 7.21.2 (LTS) >= 8.0.1 >= 8.1.1 >= 8.2.0
Confluence Server and Data Center	>= 7.4.17 (LTS) >= 7.13.7 (LTS) >= 7.14.3 >= 7.15.2 >= 7.16.4 >= 7.17.4 >= 7.18.1 >= 7.19.0
Crowd Server and Data Center	>= 4.3.8 >= 4.4.2 >= 5.0.1
Crucible	>= 4.8.10
Fisheye	>= 4.8.10
Jira Server and Data Center	>= 8.13.22 (LTS) >= 8.20.10 (LTS) >= 8.22.6 >= 9.0.0
Jira Service Management Server and Data Center	>= 4.13.22 (LTS) >= 4.20.10 (LTS) >= 4.22.6 >= 5.0.0

What should I do?

Multiple Products Security Advisory - Servlet Filter Dispatcher Vulnerabilities - CVE-2022-26136, CVE-2022-26137

- On-Premise Products

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.

Workaround

There are currently no workarounds.

Localtab

title	Cloud
tabIcon	bvicon-cloud

You use Jira, Confluence or Bitbucket Cloud.

Tip
You are not affected by this Security Advisory.

No need for action.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.

Update

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.

Workaround

There are currently no workarounds.

What should I do? - Questions For Confluence App

Security Advisory- Hardcoded Credentials - CVE-2022-26138

Localtab Group

Localtab
title Server & Data Center
tabIcon bvicon-server
You use the app Questions for Confluence in Confluence Server or Data Center.
Determine If You Are Affected
Determine if you are affected by searching for the `disabledsystemuser` user account. If this account does not show up in the list of active users, the Confluence instance is not affected.
Update the App
Update the Questions for Confluence app to a fixed version:
2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
Workaround
Search for the `disabledsystemuser` user account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to:
Delete or Disable Users | Atlassian Documentation

Localtab
title Cloud
tabIcon bvicon-cloud
You use Confluence Cloud.
Tip
You are not affected by this Security Advisory.
No need for action.

Localtab
title bitvoodoo Cloud
tabIcon bvicon-cloud
You use the app Questions for Confluence in Confluence Server or Data Center hosted with bitvoodoo.
Tip
bitvoodoo already updated Questions for Confluence in all Confluence installation hosted with bitvoodoo.
No need for action.

Further Reading
CVE-2022-26136
CVE-2022-26137
CVE-2022-26138
Multiple Products Security Advisory - 2022-07-20
Questions For Confluence App Security Advisory - 2022-07-20

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

German

Sehr geehrte Kunden,

Atlassian hat am 20. Juli 2022, 10 Uhr MESZ, zwei Security Advisories für seine On-Premise-Softwareprodukte und die Confluence-App Questions for Confluence veröffentlicht. Die Cloud-Versionen der Anwendungen sind nicht betroffen.

Was Sie wissen müssen

Atlassian wurde auf eine kritische Sicherheitslücke in seinen On-Premise-Softwareprodukten aufmerksam gemacht, die durch Arbitrary Servlet Filter Bypass und Additional Servlet Filter Invocation entsteht. Weitere Details zu dieser Sicherheitslücke finden Sie im Multiple Products Security Advisory - 2022-07-20. Die einzige Möglichkeit, die Anwendungen abzusichern, ist ein Update auf eine korrigierte Version.

Darüber hinaus hat Atlassian eine Sicherheitslücke in der App Questions für Confluence bekannt gegeben, die durch einen Systembenutzer mit fest hinterlegten Benutzeranmeldeinformationen verursacht wird. Weitere Details zu dieser Sicherheitslücke finden Sie im Questions for Confluence App Security Advisory - 2022-07-20. Ein Update von Questions for Confluence behebt diese Sicherheitslücke.

Betroffene Versionen

Produkt	Betroffene Versionen
Bamboo Server and Data Center	Versionen < 8.0.9 8.1.x < 8.1.8 8.2.x < 8.2.4
Bitbucket Server and Data Center	Versionen < 7.6.16 Alle Versionen 7.7.x bis 7.16.x 7.17.x < 7.17.8 Alle Versionen 7.18.x 7.19.x < 7.19.5 7.20.x < 7.20.2 7.21.x < 7.21.2 8.0.0 8.1.0
Confluence Server and Data Center	Versionen < 7.4.17 Alle Versionen 7.5.x bis 7.12.x 7.13.x < 7.13.7 7.14.x < 7.14.3 7.15.x < 7.15.2 7.16.x < 7.16.4 7.17.x < 7.17.4 7.18.0
Crowd Server and Data Center	Versionen < 4.3.8 4.4.x < 4.4.2 5.0.0
Crucible	Versionen < 4.8.10
Fisheye	Versionen < 4.8.10
Jira Server and Data Center	Versionen < 8.13.22 Alle Versionen 8.14.x bis 8.19.x 8.20.x < 8.20.10 Alle Versionen 8.21.x 8.22.x < 8.22.4
Jira Service Management Server and Data Center	Versionen < 4.13.22 Alle Versionen 4.14.x bis 4.19.x 4.20.x < 4.20.10 Alle Versionen 4.21.x 4.22.x < 4.22.4
Questions for Confluence	Versionen 2.7.x und 3.0.x können betroffen sein, prüfen Sie Was soll ich tun?

Fix-Versionen

Note
bitvoodoo empfiehlt die Verwendung der neusten LTS Versionen von Jira, Confluence und Bitbucket.

Produkt	Fix-Versionen
Bamboo Server and Data Center	>= 8.0.9 >= 8.1.8 >= 8.2.4 >= 9.0.0
Bitbucket Server and Data Center	>= 7.6.16 (LTS) >= 7.17.8 (LTS) >= 7.19.5 >= 7.20.2 >= 7.21.2 (LTS) >= 8.0.1 >= 8.1.1 >= 8.2.0
Confluence Server and Data Center	>= 7.4.17 (LTS) >= 7.13.7 (LTS) >= 7.14.3 >= 7.15.2 >= 7.16.4 >= 7.17.4 >= 7.18.1 >= 7.19.0
Crowd Server and Data Center	>= 4.3.8 >= 4.4.2 >= 5.0.1
Crucible	>= 4.8.10
Fisheye	>= 4.8.10
Jira Server and Data Center	>= 8.13.22 (LTS) >= 8.20.10 (LTS) >= 8.22.6 >= 9.0.0
Jira Service Management Server and Data Center	>= 4.13.22 (LTS) >= 4.20.10 (LTS) >= 4.22.6 >= 5.0.0

Was soll ich tun?

Multiple Products Security Advisory - Servlet Filter Dispatcher Vulnerabilities - CVE-2022-26136, CVE-2022-26137

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

Sie verwenden die Server- oder Data Center-Variante eines Atlassian-Produkt in einer Version, die unter Betroffene Versionen aufgeführt ist.

Update

Aktualisieren Sie auf eine Version, die unter Fix-Versionen aufgeführt ist.

Note
bitvoodoo empfiehlt die Verwendung der neusten LTS Versionen von Jira, Confluence und Bitbucket.

Workaround

Derzeit gibt es keinen Workaround.

Localtab

title	Cloud
tabIcon	bvicon-cloud

Sie verwenden Jira, Confluence oder Bitbucket Cloud.

Tip
Sie sind von diesem Security Advisory nicht betroffen.

Es besteht kein Handlungsbedarf.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

Sie verwenden Jira, Confluence oder Bitbucket Server oder Data Center gehostet mit bitvoodoo.

Update

LTS Update Package Kunden erhalten so schnell wie möglich ein kostenloses Update auf die neueste LTS-Version.

bitvoodoo Cloud Kunden, die kein LTS Update Paket haben, werden in den kommenden Tagen für die Koordination für ein Update von bitvoodoo kontaktiert.

Workaround

Derzeit gibt es keinen Workaround.

Questions For Confluence App Security Advisory- Hardcoded Credentials - CVE-2022-26138

Localtab Group

Localtab

title	Server & Data Center
tabIcon	bvicon-server

Sie verwenden die App Questions for Confluence in Confluence Server oder Data Center.

Bestimmen Sie, ob Sie betroffen sind

Stellen Sie fest ob ihre Instanz betroffen ist indem sie prüfen ob der disabledsystemuser User-Account existiert und aktiviert ist. Wenn dieses Konto nicht in der Liste der aktiven Benutzer auftaucht, ist die Confluence-Instanz nicht betroffen.

Update the App

Updaten Sie Questions for Confluence:

2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

Workaround

Suchen Sie den disabledsystemuser User-Account und deaktivieren oder löschen Sie den User. Anweisungen zum Deaktivieren oder Löschen eines Users (einschliesslich einer Erklärung der Unterschiede zwischen den beiden Optionen) finden Sie unter:

Delete or Disable Users | Atlassian Documentation

Localtab

title	Cloud
tabIcon	bvicon-cloud

Sie verwenden Confluence Cloud.

Tip
Sie sind von diesem Security Advisory nicht betroffen.

Es besteht kein Handlungsbedarf.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use the app Questions for Confluence in Confluence Server or Data Center hosted with bitvoodoo.

Tip
bitvoodoo hat bereits Questions for Confluence in allen Confluence-Installationen, die mit bitvoodoo gehostet werden, aktualisiert.

Es besteht kein Handlungsbedarf.

Weitere Informationen

CVE-2022-26136
CVE-2022-26137
CVE-2022-26138
Multiple Products Security Advisory - 2022-07-20
Questions For Confluence App Security Advisory - 2022-07-20

Support

Wenn Sie noch Fragen oder Bedenken zu diesem Advisory haben, wenden Sie sich bitte an den bitvoodoo Support via support.bitvoodoo.ch.

French

Cher client,

....

Ce qui est à savoir

....

Versions concernées

....

Versions sécurisées

....

Mesures à prendre

...

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

Mise à jour

...

Mesure de contournement (Workaround)

....

Localtab

title	Cloud
tabIcon	bvicon-cloud

You use Cloud

Tip
You are not affected by this Security Advisory.

No need for action.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

Mise à jour

....

Workaround

....

Pour plus d’information

CVE....
....

Support

Si vous avez des questions concernant cette faille de sécurité, veuillez contact le support de bitvoodoo par e-mail support.bitvoodoo.ch.

...

Page History

Versions Compared

Old Version 3

New Version 4

Key

Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137, CVE-2022-26138

What you need to know

Fixed Versions

What should I do?

- On-Premise Products

Update

Workaround

Update

Workaround

What should I do? - Questions For Confluence App

Determine If You Are Affected

Update the App

Workaround

Support

Betroffene Versionen

Fix-Versionen

Was soll ich tun?

Multiple Products Security Advisory - Servlet Filter Dispatcher Vulnerabilities - CVE-2022-26136, CVE-2022-26137

Workaround

Update

Workaround

Questions For Confluence App Security Advisory- Hardcoded Credentials - CVE-2022-26138

Bestimmen Sie, ob Sie betroffen sind

Update the App

Workaround

Weitere Informationen

Support

Ce qui est à savoir

Versions concernées

....

Versions sécurisées

....

Mesures à prendre

Mise à jour

Mesure de contournement (Workaround)

Mise à jour

Workaround

Pour plus d’information

Support

Pages

Recently updated

Favourite Pages