Atlassian patches PostgreSQL JDBC driver SQL injection in Jira and Confluence Server
Take action: If you are using on-premise Atlassian products - Bamboo, Bitbucket, Confluence, and Jira, review the advisory and plan for a patch cycle. This advisory is not for a panic mode patching, except checking of the Postgres configuration to confirm your Confluence and Jira isn't vulnerable. Long term, patching is still the smart choice.
Learn More
Atlassian has released a security bulletin on May 21, 2024, addressing multiple vulnerabilities across its product suite. This update includes fixes for 37 vulnerabilities including fix for a critical-severity vulnerabilitity:
The critical vulnerability is tracked as CVE-2024-1597 (CVSS score 9.8) and is patched in Confluence Data Center and Server, and Jira Data Center and Server. The vulnerability is an SQL Injection in the org.postgresql:postgresql dependency.
For Confluence, multiple versions of the 7.X and 8.X releases are vulnerable, and the issues were fixed in:
- 8.9.1 Data Center Only
- 8.5.9 (LTS) recommended
- 7.19.22 (LTS)
For Jira Server, multiple versions of the 9.X releases are vulnerable, and the issues were fixed in:
- 9.15.2 Data Center Only
- 9.12.7 to 9.12.8 (LTS) recommended
- 9.4.20 to 9.4.21 (LTS)
Atlassian has noted that the actual risk to its products is considerably lower, since the flaw only affects PostgreSQL if PreferQueryMode is set to “simple”, which is not the configuration Atlassian uses (referQueryMode=SIMPLE in its SQL database connection settings). Yet customers are advised to check their Postgres instance configuration and to patch.
A patch for the same flaw was released for Bamboo in March 2024.
Users are advised to apply the latest patched version.
