Note: Atlassian cloud users have already been updated unless pinned to a certain version.
Details of the Vulnerability
On Friday,14th of January - We discovered a vulnerability in Exalate allowing unauthorized creation of connections.
Using this code one can establish a connection between 2 Exalate instances. Note that using the connection still requires an authenticated user on either instance.
This vulnerability has been rated 5.8/10, according to CVSSv3.1. The vulnerability affects all releases of Exalate.
The problem has been fixed in:
- Exalate for Jira cloud version 5.2.7 -- Automatically updated on our cloud, unless pinned to a certain version
- Exalate for Zendesk version 5.2.1
- Exalate for ServiceNow version 5.2.7
- Exalate for GitHub version 5.2.2
- Exalate for Salesforce version 5.2.1
- Exalate for Azure DevOps version 5.3.0
- Exalate for HP ALM/QC version 5.0.12
- Exalate for Jira server and datacenter version 5.1.9, 5.2.5 and 5.3.1
Check the release history for the details here.
How to Deploy the Vulnerability Fix
- Exalate nodes deployed on the Exalate cloud which have not been pinned to a certain version have already been updated.
- Exalate nodes pinned to a certain version - please reach out to your customer success manager for agreeing on the upgrade path.
- Exalate deployed as an add-on on Jira or deployed as an on-premise solution will require an upgrade.
If you have any questions, please feel free to raise a support request on our support portal here.