9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.972 High
EPSS
Percentile
99.8%
h3. BUG RE-OPENED
Jira Service Management 5.4.3 ( which was supposed to be fixed at 9.4.3 / 5.4.3 ) is still generating files with common text library of 1.6 version in the /plugins/.osgi-plugins folder. Even after deleting these files, they keep generating them back again in the next restart. Due to this, Security Scans are still detecting vulnerability for {}CVE-2022-42889{}.
{code:java}
find /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/ -iname commons-text-1.6.jar -exec ls -l {} ;
rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle187/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle197/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle204/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle205/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle206/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar{code}
It has been identified by our Developers at [https://asecurityteam.atlassian.net/browse/VULN-1020573] that there are still 5 JAR files from Jira Service Management that needs to be fixed that is generating these common text library of 1.6 version above.
{code:java}
JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/jira-servicedesk-application-5.4.3.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-variable-substitution-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-search-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-notifications-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar{code}
h3. --------------------------------------------------------------------------------
h3. DISCLAIMER
{panel:bgColor=#e3fcef}
(!) Jira {}IS NOT VULNERABLE to [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]{}.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Jira does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
{panel}
h3. Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]
This is reproducible on Data Center: yes
h3. Steps to Reproduce
Check org.apache.commons -> commons-text version on {{pom.xml}}
h3. Expected Results
apache-common-text 1.10.0+ is expected
h3. Actual Results
apache-common-text 1.9 (or earlier) is used
h3. Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
CPE | Name | Operator | Version |
---|---|---|---|
jira data center | le | 9.0.0 | |
jira data center | le | 8.20.11 | |
jira data center | le | 9.2.0 | |
jira data center | le | 8.22.6 | |
jira data center | lt | 9.6.0 | |
jira data center | lt | 9.4.3 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.972 High
EPSS
Percentile
99.8%