On November 1, 2022, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.
Atlassian encourages all developers and Marketplace Partners to determine if they are using a vulnerable OpenSSL version(3.0.0-3.0.6) and to immediately upgrade to OpenSSL 3.0.7
Our team has determined that our Server and Data Center products are not packaged with OpenSSL, however, the Atlassian products do use the version that is present on the host system as a dependency.
Would it be possible to share more information about how Atlassian products can use the system’s library?
Are there JVM distributions using Openssl?
I’m asking because our connect apps use OpenJDK docker images and so far my understanding was that the java binary does not link against the Openssl library (I checked with ldd).
Our products link against the system library by default. If there are multiple versions of OpenSSL on the system, they can be modified, for example, /etc/ld.so.conf to ensure the non-vulnerable version’s path is listed before the vulnerable version. We recommend checking the docker image used for our products for vulnerable versions of the OpenSSL library. Please feel free to reach out on Atlassian’s response thread for other product related concerns.