A Critical Remote Code Execution vulnerability in Spring Framework has been discovered. As per Spring’s security advisory , this vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 has been published and will be used to track this specific bug. Vulnerab…

Are old plugins also affected? Doesn’t Confluence Server/Data Center use Spring?

How can we know which plugin owners have taken the required steps to update the spring version and which plugins are impacted ?

Hi @StephanMueller , Atlassian Connect Spring Boot ( ACSB ) is a framework used to develop Cloud apps and vulnerable version of ACSB does not affect our on-premise products. We are currently investigating Cloud apps on marketplace and we will reach out to respective partners for mitigation in case we …

Hi @aragot , FYI we have also published a public FAQ page - FAQ for CVE-2022-22965 | Atlassian Support | Atlassian Documentation for Atlassian products status on CVE-2022-22965. Please follow this page for any updates on our on-premises Server/Data Center products. Can you please clarify on what you …

About FAQ for CVE-2022-22965 | Atlassian Support | Atlassian Documentation . Are Marketplace apps vulnerable to CVE-2022-22965? Do “Marketplace apps” mean Cloud/Server/DC apps? or Cloud apps only?

Hi Srivathsav, The public FAQ page, section “Are Marketplace apps vulnerable to …”, only talks about Cloud plugins. It doesn’t tell whether P2 plugins are vulnerable. I understand that Confluence itself doesn’t seem vulnerable, but is there something to activate in P2 plugins to ensure we’re not vu…

@TakayukiHirota / @aragot apologies for any ambiguity, Server and Data Center apps are vulnerable only if they are using the vulnerable Spring frameworks mentioned in CVE-2022-22965 . Note that actual exploitation may depend on the impact requirements stated in Spring advisory . Atlassian is currently…

Hi @SrivathsavGandrathi , thank you for the clarification! We’ll watch AMS dashboard.

Hi @SrivathsavGandrathi I am currently facing this issue CompletableFuture and atlassian-connect-spring-boot v2.3.3 and Spring Boot v2.6.6 Please, can you help me to resolve this? Regards, Onuche