Dear customer,
On Monday evening Atlassian has published security advisory pointing to a security vulnerability in several products.
What you need to know
An issue was discovered in the in the Unicode Bidirectional Algorithm. This is a general security issue affecting a broad range of software. To the general knowledge, this flaw is currently not being exploited. Most of Atlassians products are affected by this flaw. The general flaw in Unicode is currently under investigation by several authorities. More informations regarding Atlassian will follow when available to us.
What is the Bidirectional Algorithm?
The use of the Bidirectional Algorithm might be necessary when working with affected Control Characters. These Control Characters are automatically used when working with localizations such as Arabic and some Japanese character sets and are typically not displayed by the browser. These are just examples and more character sets need the affected control characters, plus inserting these characters manually is also affected.
Am I affected?
Please see Affected versions.
What should I do?
The fix Atlassian proposes by updating the products doesn't close this vulnerability but rather mitigates it by displaying user facing information when working with bidirectional characters, warning users not to work with these characters.
We suspect only a small amount of our Swiss customers work with localizations needing the Bidirectional Algorithm, so the urgency might differ from case to case. Nonetheless we follow Atlassians recommendations. Updating according to the fixed versions will put the described mitigation in place.
Further Reading
- News post from heise online (German)
- Atlassian Security Advisory for CVE-2021-42574
- Atlassian FAQ for CVE-2021-42574
- CVE-2021-42574
Affected versions and fixed versions by product (Server and Data Center)
Affected versions
All versions before 8.0.4
Fixed versions
- Version 8.0.4 or newer
Affected versions
All versions before 6.10.14
All versions between 7.0.0 and 7.5.2 (inclusive)
All 7.6.x LTS versions before 7.6.10
All versions between 7.7.0 and 7.16.1 (inclusive)
All 7.17.x LTS versions before 7.17.1
Fixed versions
- Version 6.10.14
- Version 7.6.10
- Version 7.17.1 or newer
Affected versions
All versions before 7.4.13
All versions between 7.5.0 and 7.12.5 (inclusive)
All 7.13.x LTS versions before 7.13.2
Version 7.14.0
Fixed versions
- Version 7.4.13
- Version 7.13.2
- Version 7.14.1 or newer
Affected versions
All versions before 4.8.8
Fixed versions
- Version 4.8.8 or newer
Affected versions
All versions before 4.8.8
Fixed versions
- Version 4.8.8 or newer
Affected versions
All versions before 4.13.13
All versions between 4.14.0 and 4.19.1 (inclusive)
All 4.20.x LTS versions before 4.20.1
Fixed versions
- Versions 4.13.13
- Version 4.20.1 or newer
Affected versions
All versions before 8.9.4
Fixed versions
- Version 8.9.4 or newer
Affected versions
All versions before 8.13.13
All versions between 8.14.0 and 8.19.1 (inclusive)
All 8.20.x LTS versions before 8.20.1
Fixed versions
Version 8.13.13
Version 8.20.1 or newer
For information on how this affects Atlassian Cloud sites, see CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites
If your Atlassian site is accessed via an atlassian.net domain, it is an Atlassian Cloud site.
More details on CVE-2021-42574 - Unicode bidirectional override character trojan source attack
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows them to rank the severity as critical, high, moderate or low.
This is Atlassians assessment and you should evaluate its applicability to your own IT environment.
Description
A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Acknowledgements
The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. Details are disclosed at CVE-2021-42574.
Fix
Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
- Bamboo Server and Data Center release notes
- Bitbucket Server and Data Center release notes
Jira Service Management Server and Data Center release notes
You can download the latest version of your product from the download center:
Mitigation
The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.
Here's an example of the message when viewing a Confluence Data Center page with a code block.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, check out Atlassians Frequently asked questions for CVE-2021-42574, or raise a support request at support.atlassian.com with Atlassian support or at support.bitvoodoo.ch with bitvoodoo support.
