Security Advisory for Atlassian's Authentication bypass in Seraph - CVE-2022-0540
April 20, 2022
For Jira Server and Jira Data Center customers only
Summary of Vulnerability
The following note has been provided by Atlassian - For details, please refer to Jira Security Advisory 2022-04-20 to determine if you are affected, and how to protect affected installations.
Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.
Although the vulnerability is in the core of Jira, it affects first and third party apps that specify
roles-required at the
webwork1 action namespace level and do not specify it at an
action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.
A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.
zAgileConnect add-ons for Jira Server and Data Center are affected by CVE-2022-0540. Note that zAgileConnect add-ons are not the cause for the vulnerability but are impacted by this Jira vulnerability.
You have two options:
1. Upgrade your Jira (Recommended)
Upgrade your Jira to a fixed version as described here -- Jira Security Advisory 2022-04-20
2. Or, Upgrade zAgileConnect Add-on in Jira
Upgrade the zAgileConnect Add-on in Jira to a version compatible with your package in Salesforce. Refer to the compatibility matrix here Installing Jira Add-on
For Jira Datacenter please contact zAgile Support for the download link.
Please note that you cannot upgrade to the latest Jira Add-on if it is not compatible with the zAgileConnect package installed in your Salesforce instance.
To check the version of the zAgileConnect Jira Add-on that is compatible with your Salesforce package, please refer to the compatiblity matrix Installing Jira Add-on