bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS
  • Created by Unknown User (niklas.becker@bitvoodoo.ch) on 18. Jul. 2022

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Contents

Date

 

Product

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye and Crucible

  • Jira Server and Data Center

  • Jira Service Management Server and Data Center

VulnerabilityCritical
CVECVE-2022-26136, CVE-2022-26137
Official linkMultiple Products Security Advisory - 2022-07-20


Multiple Products Security Advisory - Servlet Filter Dispatcher Vulnerabilities - CVE-2022-26136, CVE-2022-26137

Dear customer,

on the 20th of July 2022 10 PM CEST, Atlassian issued two Security Advisories for it's on-premise software products and the Confluence app Questions for Confluence. The Cloud versions of the applications are not affected.

What you need to know

Atlassian has been made aware of a critical vulnerability in their on-premise software products via Arbitrary Servlet Filter Bypass and Additional Servlet Filter Invocation. Further details about the vulnerability are available in Atlassians announcement, Multiple Products Security Advisory - 2022-07-20.

The only current way to secure the applications, is updating to fixed versions. bitvoodoo highly recommends using LTS releases of Jira and Confluence.

Affected Versions

Product

Affected Versions

Bamboo Server and Data Center

  • Versions < 8.0.9

  • 8.1.x < 8.1.8

  • 8.2.x < 8.2.4

Bitbucket Server and Data Center

  • Versions < 7.6.16

  • All versions 7.7.x through 7.16.x

  • 7.17.x < 7.17.8

  • All versions 7.18.x

  • 7.19.x < 7.19.5

  • 7.20.x < 7.20.2

  • 7.21.x < 7.21.2

  • 8.0.0

  • 8.1.0

Confluence Server and Data Center

  • Versions < 7.4.17

  • All versions 7.5.x through 7.12.x

  • 7.13.x < 7.13.7

  • 7.14.x < 7.14.3

  • 7.15.x < 7.15.2

  • 7.16.x < 7.16.4

  • 7.17.x < 7.17.4

  • 7.18.0

Crowd Server and Data Center

  • Versions < 4.3.8

  • 4.4.x < 4.4.2

  • 5.0.0

Crucible

  • Versions < 4.8.10

Fisheye

  • Versions < 4.8.10

Jira Server and Data Center

  • Versions < 8.13.22

  • All versions 8.14.x through 8.19.x

  • 8.20.x < 8.20.10

  • All versions 8.21.x

  • 8.22.x < 8.22.4

Jira Service Management Server and Data Center

  • Versions < 4.13.22

  • All versions 4.14.x through 4.19.x

  • 4.20.x < 4.20.10

  • All versions 4.21.x

  • 4.22.x < 4.22.4

Fixed Versions

Product

Fixed Versions

Bamboo Server and Data Center

  • 8.0.x >= 8.0.9

  • 8.1.x >= 8.1.8

  • 8.2.x >= 8.2.4

  • Versions >= 9.0.0

Bitbucket Server and Data Center

  • 7.6.x >= 7.6.16 (LTS)

  • 7.17.x >= 7.17.8 (LTS)

  • 7.19.x >= 7.19.5

  • 7.20.x >= 7.20.2

  • 7.21.x >= 7.21.2 (LTS)

  • 8.0.x >= 8.0.1

  • 8.1.x >= 8.1.1

  • Versions >= 8.2.0

Confluence Server and Data Center

  • 7.4.x >= 7.4.17 (LTS)

  • 7.13.x >= 7.13.7 (LTS)

  • 7.14.x >= 7.14.3

  • 7.15.x >= 7.15.2

  • 7.16.x >= 7.16.4

  • 7.17.x >= 7.17.4

  • 7.18.x >= 7.18.1

  • Versions >= 7.19.0

Crowd Server and Data Center

  • 4.3.x >= 4.3.8

  • 4.4.x >= 4.4.2

  • Versions >= 5.0.1

Crucible

  • Versions >= 4.8.10

Fisheye

  • Versions >= 4.8.10

Jira Server and Data Center

  • 8.13.x >= 8.13.22 (LTS)

  • 8.20.x >= 8.20.10 (LTS)

  • 8.22.x >= 8.22.4
    Note: 8.22.4 contains a high impact non-security bug. Atlassian recommends updating to 8.22.6 or later.

  • Versions >= 9.0.0

Jira Service Management Server and Data Center

  • 4.13.x >= 4.13.22 (LTS)

  • 4.20.x >= 4.20.10 (LTS)

  • 4.22.x >= 4.22.4
    Note: 4.22.5 contains a security vulnerability. Atlassian recommends updating to 4.22.6 or later.

  • Versions >= 5.0.0

What should I do?

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

Workaround

There are currently no workarounds!

You use the Cloud variant of any Atlassian application.

You are not affected by this Security Advisory.

No need for action.


You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Ask bitvoodoo to update to a version listed in Fixed Versions.

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

Workaround

There are currently no workarounds!

Further Reading

  • CVE...
  • ...

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

  • No labels
bitvoodoo Advisories BVADVIS