JEditor Security Advisory: CVE-2019-17571, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 vulnerabilities in log4j v1.2.17 library in JEditor 3.23.0

Hello,

We are writing to let you know about security vulnerabilities that were recently identified in JEditor:

  • CVE-2019-17571
  • CVE-2021-4104
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307

The vulnerabilities affect version 3.23.0 of the JEditor — Rich Text Editor for Jira app we developed. JEditor versions before 3.23.0 are not impacted by these vulnerabilities. All listed vulnerabilities are related to a transitive dependency in JEditor 3.23.0, specifically log4j v1.2.17. All listed vulnerabilities are critical or severe and potentially allow a malicious request to execute code or run SQL statements.

These vulnerabilities have been rated as critical or severe according to the scale published on the Common Vulnerability Scoring System (CVSS).

The Atlassian DC App Security Scanner Platform identified the vulnerabilities. Once we became aware of the issue, we excluded the vulnerable transitive dependency (log4j v1.2.17) and investigated how this vulnerability appeared. Removing the vulnerable dependency ensures that all of the vulnerabilities are now fixed.

Based on our investigations, the vulnerability is not likely to have impacted you. Our code does not directly or indirectly use vulnerable components/classes of the dependency, and exploiting these vulnerabilities through JEditor is unlikely.

To fix the vulnerability in your environment, upgrade to JEditor 3.23.1.

We want you to know that we take this issue very seriously. We have conducted a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

The vulnerable dependency was added to JEditor when the dependency scope was changed from "provided" to "compile". Normally, our internal scanners inform our development team of any known vulnerabilities. However, because the dependency had "provided" scope before, it was added to the exclusion lists of the scanners. Unfortunately, our team didn't check the exclusion lists when the dependency scope changed. To avoid such problems in future releases, we decided to stop using exclusion lists and review all reported vulnerabilities, including those that come from "provided" dependencies.

If you have any questions, please feel free to raise a support request at our support portal.

Sincerely,
Kirill Bobrovskikh
JEditor's project manager

Alex Bobrovskikh -
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk