Atlassian patches critical RCE flaws across multiple products


Atlassian has published security advisories for four critical remote code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, along with a companion app for macOS.

All security issues addressed received a critical-severity score of at least 9.0 out of 10, based on Atlassian’s internal assessment. However, the company advises companies to evaluate applicability according to their IT environment.

The company marked none of the security issues as being exploited in the wild. However, due to the popularity of Atlassian products and their extensive deployment in corporate environments, system administrators should prioritize applying the available updates.

The set of four RCE vulnerabilities addressed this month are received the following identifiers:

  • CVE-2023-22522: Template injection flaw allowing authenticated users, including those with anonymous access, to inject unsafe input into a Confluence page (critical, with a 9.0 severity score). The flaw impacts all Confluence Data Center and Server versions after 4.0.0 and up to 8.5.3.
  • CVE-2023-22523: Privileged RCE in Assets Discovery agent impacting Jira Service Management Cloud, Server, and Data Center (critical, with a 9.8 severity score). Vulnerable Asset Discovery versions are anything below 3.2.0 for Cloud and 6.2.0 for Data Center and Server.
  • CVE-2023-22524: Bypass of blocklist and macOS Gatekeeper on the companion app for Confluence Server and Data Center for macOS, impacting all versions of the app prior to 2.0.0 (critical, with a 9.6 severity score).
  • CVE-2022-1471:  RCE in SnakeYAML library impacting multiple versions of Jira, Bitbucket, and Confluence products (critical, with a 9.8 severity score).

To address all four of the above problems, users are recommended to update to one of the following product versions:

  • Confluence Data Center and Server 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS)
  • Jira Service Management Cloud (Assets Discovery) 3.2.0 or later, and Jira Service Management Data Center and Server (Assets Discovery) 6.2.0 or later.
  • Atlassian Companion App for MacOS 2.0.0 or later
  • Automation for Jira (A4J) Marketplace App 9.0.2, and 8.2.4
  • Bitbucket Data Center and Server 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Center Only), and 8.16.0 (Data Center Only)
  • Confluence Cloud Migration App (CCMA) 3.4.0
  • Jira Core Data Center and Server, Jira Software Data Center and Server 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS)
  • Jira Service Management Data Center and Server 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS)

If uninstalling Asset Discovery agents to apply the patch for CVE-2023-22523 is not possible at the moment or has to be delayed, Atlassian provides a temporary mitigation that consists in blocking the port used for communication with agents, which by default is 51337.

In the case of CVE-2023-22522, there is no mitigation solution. If administrators cannot apply the patch immediately, Atlassian recommends administrators to backup affected instances and take them offline.

If administrators are unable to apply the patch for CVE-2023-22524, the company recommends uninstalling the Atlassian Companion App.



Source link