Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2024-3094 xz/liblzma

Giampiero Celluprica
Giampiero Celluprica
Contributor
April 4, 2024

Are Jira Cloud products affected by CVE-2024-3094 xz/liblzma described at the following links?

 

Description:

  • XZ Utils is a collection of open-source tools and libraries for XZ compression format present in major Linux distributions. Stable versions of most Linux distributions were not affected.
  • On Friday 29th March a Microsoft software engineer has discovered a backdoor in xz/liblzma version 5.6.0 nd 5.6.1
  • The sophisticated malicious payload that came with the affected versions of XZ Utils ran in the same process as the OpenSSH server (SSHD) and modified decryption routines in the OpenSSH server in order to allow specific remote attackers to send arbitrary payloads through SSH which will be executed before the authentication step, effectively hijacking the entire victim machine.
  • CISA recommends developers and users to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable (CISA - Remediation)
  • You could download and execute cve-2024-3094-detector.sh script to verify if you are vulnerable to it (Script for vulnerability detection)
Answer
Watch
Like # people like this
390 views

1 answer

0 votes
Robert Wen_Cprime_
Robert Wen_Cprime_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 4, 2024

Cloud products generally are not affected because as a SaaS product, Atlassian takes care of the fixes when a CVE emerges.

View More Comments
Giampiero Celluprica
Giampiero Celluprica
Contributor
April 4, 2024

Hi Robert,

Thanks for your answer. However, if I have correctly understood, Atlassian release a Security Bulletin (https://www.atlassian.com/trust/security/advisorieson the third Tuesday of every month, so we need to wait till 16th April to know if a patch has been applied (in case it was needed).

Due to the criticality of this vulnerability I would have expected an official communication from Atlassian in short time to let the customers know that their products were not affected or that the vulnerability was promptly fixed... 

Like Toño likes this
MattD
MattD
Contributor
April 4, 2024

"Stable versions of most Linux distributions were not affected."

I'd be very surprised if Atlassian had updated the OS in their Cloud hosts recently enough to run into this problem. 

But yes, it would be helpful to have an official communication from Atlassian that says "no worries, mates!"

Like 2 people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
atlassian, atlassian government cloud, fedramp, webinar, register for webinar, atlassian cloud webinar, fedramp moderate offering, work faster with cloud

Unlocking the future with Atlassian Government Cloud ☁️

Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.

Register Now
AUG Leaders

Upcoming Jira Events