This advisory is for organizations that use any of the below Atlassian products. If your organization does not use Atlassian products, this notification may be discarded.
Summary
Atlassian has released Security Advisories and made patches available to address the RCE (Remote Code Execution) vulnerabilities noted in the below platforms.
CVE-2023-22522 – RCE Vulnerability In Confluence Data Center and Confluence Server
CVSSv3: 9.0
May allow an authenticated attacker (including anonymous access) to inject unsafe user input into a Confluence page which could result in RCE of the affected instance.
Affects all versions, including and after 4.0.0 of Confluence Data Center and Server.
Patches to address the vulnerability
Product |
Fixed Versions |
Confluence Data Center and Server |
7.19.17 (LTS) |
8.4.5 |
|
8.5.4 (LTS) |
|
Confluence Data Center |
8.6.2 or later (Data Center Only) |
8.7.1 or later (Data Center Only) |
CVE-2023-22523 - RCE Vulnerability in Assets Discovery
CSVVv3: 9.8
May allow an attacker to perform privileged RCE on machines with Assets Discovery agent installed.
Patches to address the vulnerability
Product |
Component |
Fixed Versions |
Jira Service Management Cloud |
Assets Discovery |
Assets Discovery 3.2.0-cloud or later |
Jira Service Management Data Center and Server |
Assets Discovery |
Assets Discovery 6.2.0 or later |
CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
CVSSV3: 9.6
May allow an attacker to utilize WebSockets to bypass Atlassian Companion’s block list and MacOS Gatekeeper to allow RCE
Patches to address the vulnerability
Product |
Fixed Versions |
Atlassian Companion App for MacOS |
2.0.0 or later |
CVE-2022-1471 – SnakeYAML library RCE Vulnerability impacts Multiple Products
CVSSv3: 9.8
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java. SnakeYAML is susceptible to a deserialization flaw that can lead to RCE.
Product |
Action |
|
|
Automation for Jira (A4J) Marketplace App |
Patch to the following fixed versions or later |
|
|
9.0.2 |
|
||
8.2.4 |
|
||
Mitigations |
|
||
Upgrade via the Universal Plugin Manager (UPM). |
|
||
Bitbucket Data Center & Server |
Patch to the following fixed versions or later |
|
|
7.21.16 (LTS) |
|
||
8.8.7 |
|
||
8.9.4 (LTS) |
|
||
8.10.4 |
|
||
8.11.3 |
|
||
8.12.1 |
|
||
8.13.0 |
|
||
8.14.0 |
|
||
8.15.0 (Data Center Only) |
|
||
8.16.0 (Data Center Only) |
|
||
Confluence Data Center & Server |
Patch to the following fixed versions or later |
|
|
7.19.17 (LTS) |
|
||
8.4.5 |
|
||
8.5.4 (LTS) |
|
||
8.6.2 (Data Center Only) |
|
||
8.7.1 (Data Center Only) |
|
||
Fixed in the following versions |
|
||
The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities. |
|
||
Confluence Cloud Mitigation App (CCMA) |
Patch to the following fixed versions or later |
||
3.4.0 |
|||
Jira Core Data Center & Server |
Patch to the following fixed versions or later |
||
9.11.2 |
|||
9.12.0 (LTS) |
|||
9.4.14 (LTS) |
|||
Mitigations |
|||
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). |
|||
Jira Service |
Patch to the following fixed versions or later |
||
5.11.2 |
|||
5.12.0 (LTS) |
|||
5.4.14 (LTS) |
|||
Upgrading Jira to a fixed version is also required |
|||
Mitigations |
|||
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). |
|||
Additional Resources