We are continuing to monitor for any further issues.
Posted Apr 22, 2022 - 10:01 NZST
Monitoring
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. https://nvd.nist.gov/vuln/detail/CVE-2022-0540
1) Our EasySSO is not affected – we do not use the particular Seraph checks anywhere. 2) However, other apps say use these as the only protection for their UI components/screens. It's the implementation of these checks that is broken in Seraph. 3) We recommend upgrading to Jira 8.20.6 if possible to avoid related issues. 4) Do not upgrade to Jira v8.22.2 as Easy SSO Jira is disabled on this version at the moment - current status of this issue can be found here: https://status.techtime.co.nz/incidents/17f514tmgk5s
Posted Apr 22, 2022 - 10:00 NZST
This incident affected: TechTime Server Apps (EasySSO for Jira Server) and TechTime Data Center Apps (EasySSO for Jira Data Center).