Attention: Atlassian's Response to the OpenSSLv3 Vulnerability

On November 1, 2022, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.

Please follow this community post Atlassian’s Response to the OpenSSLv3 Vulnerability for updates on this issue.

Atlassian encourages all developers and Marketplace Partners to determine if they are using a vulnerable OpenSSL version(3.0.0-3.0.6) and to immediately upgrade to OpenSSL 3.0.7

For further information on these OpenSSL vulnerabilities, please see this blogpost: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog

If you have any questions or concerns, please reply to this thread or raise a support request at Developer Support Portal.

This advice is subject to change as new information comes to light.

3 Likes

Thanks for sharing this @SrivathsavGandrathi!

I got a question concerning this update:

Our team has determined that our Server and Data Center products are not packaged with OpenSSL, however, the Atlassian products do use the version that is present on the host system as a dependency.

Would it be possible to share more information about how Atlassian products can use the system’s library?
Are there JVM distributions using Openssl?

I’m asking because our connect apps use OpenJDK docker images and so far my understanding was that the java binary does not link against the Openssl library (I checked with ldd).

Cheers,
Jens

Hi @jens ,

Our products link against the system library by default. If there are multiple versions of OpenSSL on the system, they can be modified, for example, /etc/ld.so.conf to ensure the non-vulnerable version’s path is listed before the vulnerable version. We recommend checking the docker image used for our products for vulnerable versions of the OpenSSL library. Please feel free to reach out on Atlassian’s response thread for other product related concerns.

1 Like