RCE (Remote Code Execution) in - CVE-2022-1471

h2. Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

(i) Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue.
h2. Affected Versions
||Product||Affected Versions||
|Jira Core Data Center and Server
Jira Software Data Center and Server| * 9.4.0

• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4
• 9.4.5
• 9.4.6
• 9.4.7
• 9.4.8
• 9.4.9
• 9.4.10
• 9.4.11
• 9.4.12
• 9.5.x
• 9.6.x
• 9.7.x
• 9.8.x
• 9.9.x
• 9.10.x
• 9.11.0
• 9.11.1|
  |Automation for Jira (A4J) Marketplace App| * 9.0.1
• 9.0.0
• <= 8.2.2|
  h2. Fixed Versions

||Product||Fixed Versions||
|Jira Software Data Center and Server
Jira Core Data Center and Server|Patch to the following fixed versions or later
9.11.2
9.12.0
9.4.14
 
Mitigation(s):
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
 
(!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])|
|Automation for Jira (A4J) Marketplace App|Patch to the following fixed versions or later
9.0.2
8.2.4
 
Upgrade via the Universal Plugin Manager (UPM).
 
(!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.|

For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives].

For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009]

h4. Support

Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at [https://support.atlassian.com/].