We contacted you to inform you of a security vulnerability typified by Atlassian as critical, detected in the JIRA Software, Jira Core and Jira Service Desk products and officially communicated by Atlassian just a few hours ago.
You can find the official communication of Atlassian in the following link (in English): Vulnerability Note 10 July 2019.
You can also follow the progress of the incident in the following link (in English): Incidence vulnerability 10 July 2019.
What products are affected?
JIRA Software, JIRA Core and JIRA Software Desk in Server and Data Center versions.
Which versions of these products are affected?
All versions of the product from 4.4.x to 8.2.x.
Some specific versions contain a fix that blocks this vulnerability. If you have any of the following versions, your installation will NOT be affected:
- Any 7.6.x version greater than or equal to 7.6.14. For example 7.6.14, 7.6.15, etc.
- Any 7.13.x version greater than or equal to 7.13.5. For example 7.13.5, 7.13.6, etc.
- Any version 8.0.x greater than or equal to 8.0.3. For example 8.0.3, 8.0.4, etc.
- Any version 8.1.x greater than or equal to 8.1.2. For example 8.1.2, 8.1.3, etc.
- Any 8.2.x version greater than or equal to 8.2.3. For example 8.2.3, 8.2.4, etc.
How to solve this vulnerability?
In case of being affected by this vulnerability, Atlassian exposes three ways to mitigate it:
- The response recommended by Atlassian to permanently mitigate this vulnerability is to update the product JIRA Software, JIRA Core and JIRA Software Desk to the latest version, this is 8.2.3 or greater.
- A second alternative to update is to apply the specific fix that fixes the vulnerability for each version of the application.
This option is available only if you have any of the following versions:
- For versions 7.6.x you must apply patch 7.6.14 (or upgrade to version 7.13.5 as recommended by Atlassian).
- For versions 7.13.x you must apply patch 7.13.5
- For versions 8.0.x you must apply patch 8.0.3
- For versions 8.1.x you must apply the 8.1.2 patch