Lucene search

Security-metrics-botJRASERVER-74420

HistoryOct 19, 2022 - 10:02 a.m.

Vulnerable version of xmlsec used - CVE-2021-40690 in atlassian-authentication-plugin

2022-10-1910:02:11

security-metrics-bot

jira.atlassian.com

115

xmlsec

atlassian-authentication-plugin

cve-2021-40690

vulnerability

jira

workaround

upgrade

security patch

atlassian-bundled-plugins

atlassian-marketplace

data-center cluster

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

43.8%

JSON

Recently we have identified that on top of the libraries mentioned in JRASERVER-73580, there was another library({}atlassian-authentication-plugin){} that has a transitive dependency of xmlsec that could be related to the vulnerability described in [CVE-2021-40690|https://nvd.nist.gov/vuln/detail/CVE-2021-40690].
(i) Note that based on our assessment, vulnerability is more theoretical and no known exploits exist.

The affected versions of Jira that are shipped with the impacted atlassian-authentication-plugin are, versions prior to 8.20.13, and from version 8.21.0 before 9.0.0.
h4. Affected versions:

All bug-fix versions in 8.13.x series
version < 8.20.13
version ≥8.21.0 and version < 9.0.0

h4. Fixed versions:

>= 8.20.13
>= 9.0.0

h3. Workaround for Affected Versions

{}Deploy the new atlassian-authentication-plugin-4.2.12.jar or higher{}.
{panel}
(i) The fixed version of this library is atlassian-authentication-plugin-4.2.11.jar, however, we are recommending atlassian-authentication-plugin-4.2.12.jar and higher to benefit from another defect mentioned in JRASERVER-73257
{panel}

+Detailed Steps+

Navigate to <Jira-installation-directory>/atlassian-jira/WEB-INF/atlassian-bundled-plugins

Move the existing atlassian-authentication-plugin-4.x.x to a temporary directory outside of jira installation directory. (Just to have a backup in case of rolling back the change)

Download the atlassian-authentication-plugin-4.2.12.jar or higher from [marketplace|https://marketplace.atlassian.com/apps/1216096/sso-for-atlassian-server-and-data-center/version-history]

Copy the downloaded atlassian-authentication-plugin-4.2.12.jar or higher to <Jira-installation-directory>/atlassian-jira/WEB-INF/atlassian-bundled-plugins

Stop the Jira service

Clear the OSGI caches by removing the below 2 folders

{code:java}
<jira-local-home>/plugins/.bundled-plugins
<jira-local-home>/plugins/.osgi-plugins{code}

Start the Jira service.

(i) Please note that if you have more than one node in the data center cluster setup, kindly perform all the above steps in each Jira node.

Affected configurations

Vulners

Node

atlassianjira_data_centerRange≤8.22.4

atlassianjira_data_centerRange≤8.20.12

atlassianjira_data_centerRange<9.0.0

atlassianjira_data_centerRange<8.20.13

VendorProductVersionCPE
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	jira_data_center	*	cpe:2.3:a:atlassian:jira_data_center::::::::

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

43.8%

JSON

Related for JRASERVER-74420