Vulnerabilities

CVE-2023-22522, 2023-22524, 2023-22523, 2022-1471 - Atlassian Releases Security Advisories for Multiple Products

Written by Critical Insight | Dec 8, 2023 5:01:00 PM

This advisory is for organizations that use any of the below Atlassian products.  If your organization does not use Atlassian products, this notification may be discarded.

  • Confluence Data Center and Confluence Sever
  • Atlassian companion App for MacOS
  • Assets Discovery
  • SnakeYAML library

Summary

Atlassian has released Security Advisories and made patches available to address the RCE (Remote Code Execution) vulnerabilities noted in the below platforms. 

 

CVE-2023-22522 – RCE Vulnerability In Confluence Data Center and Confluence Server

               CVSSv3: 9.0

                May allow an authenticated attacker (including anonymous access) to inject unsafe user input into a Confluence page which could result in RCE of the affected instance.

                Affects all versions, including and after 4.0.0 of Confluence Data Center and Server.

Patches to address the vulnerability

Product

Fixed Versions

Confluence Data Center and Server

7.19.17 (LTS)

 

8.4.5

 

8.5.4  (LTS)

Confluence Data Center

8.6.2 or later (Data Center Only)

 

8.7.1 or later (Data Center Only)

 

CVE-2023-22523 - RCE Vulnerability in Assets Discovery

                CSVVv3: 9.8

                May allow an attacker to perform privileged RCE on machines with Assets Discovery agent installed. 

Patches to address the vulnerability

Product

Component

Fixed Versions

Jira Service Management Cloud

Assets Discovery

Assets Discovery 3.2.0-cloud or later

Jira Service Management Data Center and Server

Assets Discovery

Assets Discovery 6.2.0 or later

 

 

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

                CVSSV3: 9.6

May allow an attacker to utilize WebSockets to bypass Atlassian Companion’s block list and MacOS Gatekeeper to allow RCE

Patches to address the vulnerability

Product

Fixed Versions

Atlassian Companion App for MacOS

2.0.0 or later

 

 

CVE-2022-1471 – SnakeYAML library RCE Vulnerability impacts Multiple Products

                CVSSv3: 9.8

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java.  SnakeYAML is susceptible to a deserialization flaw that can lead to RCE.

Product

Action

 

 

Automation for Jira (A4J) Marketplace App

Patch to the following fixed versions or later

 

 

9.0.2

 

 

8.2.4

 

 

Mitigations

 

 

Upgrade via the Universal Plugin Manager (UPM).

 

 

Bitbucket Data Center & Server

Patch to the following fixed versions or later

 

 

7.21.16 (LTS)

 

 

8.8.7

 

 

8.9.4 (LTS)

 

 

8.10.4

 

 

8.11.3

 

 

8.12.1

 

 

8.13.0

 

 

8.14.0

 

 

8.15.0 (Data Center Only)

 

 

8.16.0 (Data Center Only)

 

 

Confluence Data Center & Server

Patch to the following fixed versions or later

 

 

7.19.17 (LTS)

 

 

8.4.5

 

 

8.5.4 (LTS)

 

 

8.6.2 (Data Center Only)

 

 

8.7.1 (Data Center Only)

 

 

Fixed in the following versions

 

 

The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities.

 

 
   
   

Confluence Cloud Mitigation App (CCMA)

Patch to the following fixed versions or later

   

3.4.0

   

Jira Core Data Center & Server

Jira Software Data Center & Server

Patch to the following fixed versions or later

   

9.11.2

   

9.12.0 (LTS)

   

9.4.14 (LTS)

   

Mitigations

   

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

   
   
   
   

Jira Service
Management Data Center & Server

Patch to the following fixed versions or later

   

5.11.2

   

5.12.0 (LTS)

   

5.4.14 (LTS)

   

Upgrading Jira to a fixed version is also required

   

Mitigations

   

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

   
   
   
   

 

Additional Resources

https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html

https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html

https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-impacts-multiple-products-1296171009.html