Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2024-3094 xz/liblzma

Giampiero Celluprica
Giampiero Celluprica
Contributor
April 4, 2024

Are Jira Cloud products affected by CVE-2024-3094 xz/liblzma described at the following links?

 

Description:

  • XZ Utils is a collection of open-source tools and libraries for XZ compression format present in major Linux distributions. Stable versions of most Linux distributions were not affected.
  • On Friday 29th March a Microsoft software engineer has discovered a backdoor in xz/liblzma version 5.6.0 nd 5.6.1
  • The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server in order to allow specific remote attackers to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine.
  • CISA recommends developers and users to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable (CISA - Remediation)
  • You could download and execute cve-2024-3094-detector.sh script to verify if you are vulnerable to it (Script for vulnerability detection)
Answer
Watch
Like # people like this
410 views

1 answer

0 votes
Robert Wen_Cprime_
Robert Wen_Cprime_
Community Champion
April 4, 2024

Cloud products generally are not affected because as a SaaS product, Atlassian takes care of the fixes when a CVE emerges.

View More Comments
Giampiero Celluprica
Giampiero Celluprica
Contributor
April 4, 2024

Hi Robert,

Thanks for your answer. However, if I have correctly understood, Atlassian release a Security Bulletin (https://www.atlassian.com/trust/security/advisorieson the third Tuesday of every month, so we need to wait till 16th April to know if a patch has been applied (in case it was needed).

Due to the criticality of this vulnerability I would have expected an official communication from Atlassian in short time to let the customers know that their products were not affected or that the vulnerability was promptly fixed... 

Like • Toño likes this
MattD
MattD
Contributor
April 4, 2024

"Stable versions of most Linux distributions were not affected."

I'd be very surprised if Atlassian had updated the OS in their Cloud hosts recently enough to run into this problem. 

But yes, it would be helpful to have an official communication from Atlassian that says "no worries, mates!"

Like • 2 people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
atlassian, team '25 europe, atlassian event, barcelona 2025, jira, confluence, atlassian intelligence, rovo, ai-powered collaboration, developer tools, agile teams, digital transformation, teamwork solutions, atlassian conference, product announcements

🌆 Team '25 Europe registration is now open!

Join the largest European gathering of the Atlassian Community and reimagine what’s possible when great teams and transformative technology come together. Plus, grab your Super Fan ticket now and save over €1,000 on your pass before prices rise on 3 June.

Register now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.