Urgent: High Security Vulnerability in Multiple Atlassian Products

On November 1st, 2021, Atlassian released a new ‘High’ severity vulnerability. This vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Affected Versions Bamboo Server and Data Center

  • All versions before 8.0.4

Bitbucket Server and Data Center

  • All versions before 6.10.14
  • All versions between 7.0.0 and 7.5.2 (inclusive)
  • All 7.6.x LTS versions before 7.6.10
  • All versions between 7.7.0 and 7.16.1 (inclusive)
  • All 7.17.x LTS versions before 7.17.1

Confluence Server and Data Center

  • All versions before 7.4.13
  • All versions between 7.5.0 and 7.12.5 (inclusive)
  • All 7.13.x LTS versions before 7.13.2
  • Version 7.14.0

Crucible

  • All versions before 4.8.8

Fisheye

  • All versions before 4.8.8

Jira Service Management Server and Data Center

  • All versions before 4.13.13
  • All versions between 4.14.0 and 4.19.1 (inclusive)
  • All 4.20.x LTS versions before 4.20.1

Insight Asset Management (Marketplace app for Jira Service Management)

  • All versions before 8.9.4

Jira Software Server and Data Center (including Jira Core)

  • All versions before 8.13.13
  • All versions between 8.14.0 and 8.19.1 (inclusive)
  • All 8.20.x LTS versions before 8.20.1
Fixed Versions Bamboo Server and Data Center

  • 8.0.4

Bitbucket Server and Data Center

  • 6.10.14
  • 7.6.10
  • 7.17.1

Confluence Server and Data Center

  • 7.4.13
  • 7.13.2
  • 7.14.1

Crucible

  • 4.8.8

Fisheye

  • 4.8.8

Jira Service Management Server and Data Center

  • 4.13.13
  • 4.20.1

Insight Asset Management (Marketplace app for Jira Service Management)

  • 8.9.4

Jira Software Server and Data Center (including Jira Core)

  • 8.13.13
  • 8.20.1
CVE ID CVE-2021-42574

Summary of Vulnerability

This advisory discloses a high severity security vulnerability which was introduced in multiple product versions as enumerated below:

Fix

Atlassian has taken the following steps to address this issue:

  1. Released Bamboo Server and Data Center version 8.0.4 that contains a fix for this issue.
  2. Released Bitbucket Server and Data Center versions 6.10.14, 7.6.10, and 7.17.1 that contains a fix for this issue.
  3. Released Confluence Server and Data Center versions 7.4.13, 7.13.2, and 7.14.1 that contains a fix for this issue.
  4. Released Crucible version 4.8.8 that contains a fix for this issue.
  5. Released Fisheye version 4.8.8 that contains a fix for this issue.
  6. Released Insight Asset Management marketplace app version 8.9.4 that contains a fix for this issue.
  7. Released Jira Service Management Server and Data Center versions 4.13.13, and 4.20.1 that contains a fix for this issue.
  8. Released Jira Software Server and Data Center versions 8.13.13, and 8.20.1 that contains a fix for this issue.

What you need to do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:

You can download the latest version of your product from the download center:

Upgrade to the version recommended below or higher.

<td “>Insight Asset Management app

Product Action
Bamboo Server and Data Center Upgrade to 8.0.4 or higher
Bitbucket Server and Data Center Upgrade to 7.17.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Confluence Server and Data Center Upgrade to 7.13.2 LTS or higher 7.13.x version

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

If you’re running 7.14.0, upgrade to 7.14.1 or higher

Crucible Upgrade to 4.8.8 or higher
Fisheye Upgrade to 4.8.8 or higher
Upgrade the app to 8.9.4 or higher

This is only required if you’ve installed Insight Asset Management from the Marketplace.

Jira Software Server and Data Center (including Jira Core) Upgrade to 8.20.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Jira Service Management Server and Data Center Upgrade to 4.20.1 LTS or higher

If you’re unable to upgrade to the latest LTS version, upgrade to the most appropriate version listed under Fixed Versions in the table above.

Mitigation

The fix involved updating a number of common places where code is displayed, such as in a pull request, code snippet, or code block, to highlight bidirectional characters. A tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.

Here’s an example of the message when viewing a Confluence Data Center page with a code block.

NEED HELP WITH THIS?

Give us a call, or request for help here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.