|
Dear customer, On Monday evening Atlassian has published security advisory pointing to a security vulnerability in several products. What you need to know An issue was discovered in the in the Unicode Bidirectional Algorithm. This is a general security issue affecting a broad range of software. To the general knowledge, this flaw is currently not being exploited. Most of Atlassians products are affected by this flaw. The general flaw in Unicode is currently under investigation by several authorities. The severity of the issue itself has not yet been published. More informations regarding Atlassian will follow when available to us. What is the Bidirectional Algorithm?The use of the Bidirectional Algorithm might be necessary when working with affected Control Characters. These Control Characters are automatically used when working with localizations such as Arabic and some Japanese character sets and are typically not displayed by the browser. These are just examples and more character sets need the affected control characters, plus inserting these characters manually is also affected. Am I affected?Please see Affected versions. What should I do?The fix Atlassian proposes by updating the products doesn't close this vulnerability but rather mitigates it by displaying user facing information when working with bidirectional characters, warning users not to work with these characters. We suspect only a small amount of our Swiss customers work with localizations needing the Bidirectional Algorithm, so the urgency might differ from case to case. Nonetheless we follow Atlassians recommendations. Updating according to the fixed versions will put the described mitigation in place. Further Reading
Affected versions and fixed versions by product
More details on CVE-2021-42574 - Unicode bidirectional override character trojan source attack SeverityAtlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows them to rank the severity as critical, high, moderate or low. This is Atlassians assessment and you should evaluate its applicability to your own IT environment. DescriptionA vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. AcknowledgementsThe issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. Details are disclosed at CVE-2021-42574. Fix Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
You can download the latest version of your product from the download center: Mitigation The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed. Here's an example of the message when viewing a Confluence Data Center page with a code block.
SupportIf you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, check out Atlassians Frequently asked questions for CVE-2021-42574, or raise a support request at support.atlassian.com with Atlassian support or at support.bitvoodoo.ch with bitvoodoo support. |
