Vulnerable version of xmlsec used - CVE-2021-40690

Affected versions of Atlassian Jira Server and Data Center used versions of xmlsec that were vulnerable to CVE-2021-40690.

Affected versions:

• version < 8.22.2

Workaround:

• version < 8.22.2 LTS versions 8.13 and versions up to 8.20.14 should also apply this workaround. This is permanently fixed in 8.20.15
  {panel:title=1. Delete xmsec library}
  While it should not have any side effect on Jira itself, it may cause problems with 3rd party libraries or plugins.

Workaround steps:

1. Navigate to Jira installation directory

2. Navigate to subdirectory {{atlassian-jira/WEB-INF/lib}}

3. Localize file {{xmlsec-1.5.6.jar}}

4. Remove file {{xmlsec-1.5.6.jar}}

5. Restart node
   Follow these steps for each node in Jira cluster.
   {panel}
   {panel:title=2. How to know if plugin is using xmlsec dependency.}
   Nature of plugins allow them to use any library they want. Described method of finding out is not 100% perfect as there are multiple tools and ways of including library, but it should cover most common cases.

6. Unpack plugin jar/obr

7. Look for file {{xmlsec-1.5.X.jar}} or {{xmlsec.jar}} (where X is any number) in unpacked directory and subdirectories. If found, plugin is using vulnerable library

8. Look for file {{META-INF/MANIFEST.MF}} in unpacked directory

9. Open it and search for string {{{}org.apache.xml.security{}}}. If found, plugin is using vulnerable library

10. Look for file {{pom.xml}} in unpacked directory and subdirectories. If found, open file and look for element {{<dependency>}} which contains elements {{{}<artifactId>xmlsec</artifactId>{}}}, {{<artifactId>xmlsec</artifactId>}} and {{{}<version>X.Y.Z</version>{}}}, where {{X.Y.Z}} is any version described as vulnerable by CVE-2021-40690. If found, plugin is using vulnerable library.
    {panel}