Atlassian patches critical RCE flaws across multiple products

Trending 2 months ago

Atlassian patches analytical RCE flaws above assorted products

Atlassian has appear aegis advisories for four analytical alien cipher beheading (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, alternating with a accompaniment app for macOS.

All aegis issues addressed accustomed a critical-severity account of at atomic 9.0 out of 10, based on Atlassian's centralized assessment. However, the aggregation advises companies to appraise account according to their IT environment.

The aggregation apparent none of the aegis issues as actuality exploited in the wild. However, due to the acceptance of Atlassian articles and their all-encompassing deployment in accumulated environments, arrangement administrators should accent applying the accessible updates.

The set of four RCE vulnerabilities addressed this ages are accustomed the afterward identifiers:

  • CVE-2023-22522: Template bang blemish acceptance accurate users, including those with bearding access, to inject alarming ascribe into a Confluence folio (critical, with a 9.0 severity score). The blemish impacts all Confluence Data Center and Server versions afterwards 4.0.0 and up to 8.5.3.
  • CVE-2023-22523: Privileged RCE in Assets Discovery abettor impacting Jira Service Management Cloud, Server, and Data Center (critical, with a 9.8 severity score). Vulnerable Asset Discovery versions are annihilation below 3.2.0 for Cloud and 6.2.0 for Data Center and Server.
  • CVE-2023-22524: Bypass of blocklist and macOS Gatekeeper on the accompaniment app for Confluence Server and Data Center for macOS, impacting all versions of the app above-mentioned to 2.0.0 (critical, with a 9.6 severity score).
  • CVE-2022-1471:  RCE in SnakeYAML library impacting assorted versions of Jira, Bitbucket, and Confluence articles (critical, with a 9.8 severity score).

To abode all four of the aloft problems, users are recommended to amend to one of the afterward artefact versions:

  • Confluence Data Center and Server 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS)
  • Jira Service Management Cloud (Assets Discovery) 3.2.0 or later, and Jira Service Management Data Center and Server (Assets Discovery) 6.2.0 or later.
  • Atlassian Companion App for MacOS 2.0.0 or later
  • Automation for Jira (A4J) Marketplace App 9.0.2, and 8.2.4
  • Bitbucket Data Center and Server 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Center Only), and 8.16.0 (Data Center Only)
  • Confluence Cloud Migration App (CCMA) 3.4.0
  • Jira Core Data Center and Server, Jira Software Data Center and Server 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS)
  • Jira Service Management Data Center and Server 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS)

If uninstalling Asset Discovery agents to administer the application for CVE-2023-22523 is not accessible at the moment or has to be delayed, Atlassian provides a acting acknowledgment that consists in blocking the anchorage acclimated for advice with agents, which by absence is 51337.

In the case of CVE-2023-22522, there is no acknowledgment solution. If administrators cannot administer the application immediately, Atlassian recommends administrators to advancement afflicted instances and booty them offline.

If administrators are clumsy to administer the application for CVE-2023-22524, the aggregation recommends uninstalling the Atlassian Companion App.