Their announcement was a bit scary as you can read from Atlassian's blog "Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework".
Good news is that attacker need to have an account in order to do it.
Install patch ASAP!
Bamboo - all version up to 5.7
Confluence - all version up to 5.6.5,
FishEye - all version up to 3.6.1
Crucible - all version up to 3.6.1.
Note : Atlassian Cloud customers are not affected by any of these issues.
It has a critical priority and according to Atlassian website, it means:
"Vulnerabilities that score in the critical range usually have most of the following characteristics:More details:
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, if your installation is not accessible from the Internet, this may be a mitigating factor."(source: https://www.atlassian.com/security/security-severity-levels
- Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices.
- The information required in order to exploit the vulnerability, such as example code, is widely available to attackers.
- Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
All useful information about bug itself, workaround and patches are available here:
Stay safe folks!