Atlassian has revealed safety advisories for 4 essential distant code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, together with a companion app for macOS.
All safety points addressed obtained a critical-severity rating of a minimum of 9.0 out of 10, based mostly on Atlassian’s inner evaluation. Nonetheless, the corporate advises corporations to guage applicability in line with their IT atmosphere.
The corporate marked not one of the safety points as being exploited within the wild. Nonetheless, because of the recognition of Atlassian merchandise and their in depth deployment in company environments, system directors ought to prioritize making use of the accessible updates.
The set of 4 RCE vulnerabilities addressed this month are obtained the next identifiers:
- CVE-2023-22522: Template injection flaw permitting authenticated customers, together with these with nameless entry, to inject unsafe enter right into a Confluence web page (essential, with a 9.0 severity rating). The flaw impacts all Confluence Knowledge Heart and Server variations after 4.0.0 and as much as 8.5.3.
- CVE-2023-22523: Privileged RCE in Belongings Discovery agent impacting Jira Service Administration Cloud, Server, and Knowledge Heart (essential, with a 9.8 severity rating). Weak Asset Discovery variations are something under 3.2.0 for Cloud and 6.2.0 for Knowledge Heart and Server.
- CVE-2023-22524: Bypass of blocklist and macOS Gatekeeper on the companion app for Confluence Server and Knowledge Heart for macOS, impacting all variations of the app previous to 2.0.0 (essential, with a 9.6 severity rating).
- CVE-2022-1471: RCE in SnakeYAML library impacting a number of variations of Jira, Bitbucket, and Confluence merchandise (essential, with a 9.8 severity rating).
To deal with all 4 of the above issues, customers are really useful to replace to one of many following product variations:
- Confluence Knowledge Heart and Server 7.19.17 (LTS), 8.4.5, and eight.5.4 (LTS)
- Jira Service Administration Cloud (Belongings Discovery) 3.2.0 or later, and Jira Service Administration Knowledge Heart and Server (Belongings Discovery) 6.2.0 or later.
- Atlassian Companion App for MacOS 2.0.0 or later
- Automation for Jira (A4J) Market App 9.0.2, and eight.2.4
- Bitbucket Knowledge Heart and Server 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Knowledge Heart Solely), and eight.16.0 (Knowledge Heart Solely)
- Confluence Cloud Migration App (CCMA) 3.4.0
- Jira Core Knowledge Heart and Server, Jira Software program Knowledge Heart and Server 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS)
- Jira Service Administration Knowledge Heart and Server 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS)
If uninstalling Asset Discovery brokers to use the patch for CVE-2023-22523 will not be potential in the meanwhile or must be delayed, Atlassian offers a brief mitigation that consists in blocking the port used for communication with brokers, which by default is 51337.
Within the case of CVE-2023-22522, there isn’t any mitigation answer. If directors can not apply the patch instantly, Atlassian recommends directors to backup affected situations and take them offline.
If directors are unable to use the patch for CVE-2023-22524, the corporate recommends uninstalling the Atlassian Companion App.
