Atlassian JIRA: CVE-2022-1471: RCE (Remote Code Execution) in - CVE-2022-1471

Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
 
:info: Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
|Product|Affected Versions|
|Jira Core Data Center and Server
Jira Software Data Center and Server|* 9.4.0
* 9.4.1
* 9.4.2
* 9.4.3
* 9.4.4
* 9.4.5
* 9.4.6
* 9.4.7
* 9.4.8
* 9.4.9
* 9.4.10
* 9.4.11
* 9.4.12
* 9.5.x
* 9.6.x
* 9.7.x
* 9.8.x
* 9.9.x
* 9.10.x
* 9.11.0
* 9.11.1
|
|Automation for Jira (A4J) Marketplace App|* 9.0.1
* 9.0.0
* less than equal to 8.2.2
|

Fixed Versions
 
|Product|Fixed Versions|
|Jira Software Data Center and Server
Jira Core Data Center and Server|Patch to the following fixed versions or later
9.11.2
9.12.0
9.4.14
 
Mitigation(s):
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
 
:warning: See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+)|
|Automation for Jira (A4J) Marketplace App|Patch to the following fixed versions or later
9.0.2
8.2.4
 
Upgrade via the Universal Plugin Manager (UPM).
 
:warning: See breaking changes in A4J 9.0+ for more info.|

For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.
 
For additional details, please see the full advisory.
Support
Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.