Security Vulnerability – Unauthorized Creation of Connections

    Note: Atlassian cloud users have already been updated unless pinned to a certain version.

    Details of the Vulnerability

    On Friday,14th of January - We discovered a vulnerability in Exalate allowing unauthorized creation of connections.

    Using this code one can establish a connection between 2 Exalate instances. Note that using the connection still requires an authenticated user on either instance.

    This vulnerability has been rated 5.8/10, according to CVSSv3.1. The vulnerability affects all releases of Exalate.

    The problem has been fixed in:

    • Exalate for Jira cloud version 5.2.7 -- Automatically updated on our cloud, unless pinned to a certain version
    • Exalate for Zendesk version 5.2.1
    • Exalate for ServiceNow version 5.2.7
    • Exalate for GitHub version 5.2.2
    • Exalate for Salesforce version 5.2.1
    • Exalate for Azure DevOps version 5.3.0
    • Exalate for HP ALM/QC version 5.0.12
    • Exalate for Jira server and datacenter version 5.1.9, 5.2.5 and 5.3.1

    Check the release history for the details here.

    How to Deploy the Vulnerability Fix

    • Exalate nodes deployed on the Exalate cloud which have not been pinned to a certain version have already been updated.
    • Exalate nodes pinned to a certain version - please reach out to your customer success manager for agreeing on the upgrade path.
    • Exalate deployed as an add-on on Jira or deployed as an on-premise solution will require an upgrade.

    If you have any questions, please feel free to raise a support request on our support portal here.