It is time to patch once more: 4 important safety vulnerabilities in Atlassian software program open the door to distant code execution (RCE) and subsequent lateral motion inside enterprise environments. They’re simply the newest bugs to floor of late within the software program maker’s collaboration and DevOps platforms, which are typically a favourite goal for cyberattackers.
The vulnerabilities, which Atlassian issued fixes for on Tuesday, embody:
CVE-2022-1471 (CVSS vulnerability severity rating of 9.8 out of 10): Deserialization within the SnakeYAML library, affecting a number of Atlassian software program platforms.
CVE-2023-22522 (CVSS 9): Authenticated template injection vulnerability affecting Confluence Server and Information Middle. Somebody logged into the system, even anonymously, can inject unsafe person enter right into a Confluence web page and obtain RCE, in keeping with Atlassian.
CVE-2023-22523 (CVSS 9.8): Privileged RCE within the Belongings Discovery network-scanning instrument for Jira Service Administration Cloud, Server, and Information Middle. In response to Atlassian’s advisory, “The vulnerability exists between the Belongings Discovery utility (previously often called Perception Discovery) and the Belongings Discovery agent.”
CVE-2023-22524 (CVSS 9.6): RCE within the Atlassian Companion app for macOS, which is used for file enhancing in Confluence Information Middle and Server. “An attacker may make the most of WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to permit the execution of code,” the advisory learn.
Atlassian Bugs Are Catnip to Cyberattackers
The most recent advisories come onerous on the heels of a string of bug disclosures from Atlassian, which have been tied to each zero-day and post-patch exploitation.
Atlassian software program is a well-liked goal for menace actors, particularly Confluence, which is a well-liked Net-based company wiki used for collaboration in cloud and hybrid server environments. It permits one-click connections to quite a lot of completely different databases, making its utility for attackers nonpareil. Greater than 60,000 clients use Confluence, together with LinkedIn, NASA, and the New York Instances.
If previous is prologue, admins ought to patch the newest bugs instantly. In October, as an example, the software program firm rolled out safety fixes for a max-severity RCE bug (CVSS 10) in Confluence Information Middle and Server (CVE-2023-22515), which had been exploited previous to patching by a China-sponsored superior persistent menace (APT) tracked as Storm-0062. A string of proof-of-concept exploits additionally rapidly cropped up for it after disclosure, paving the way in which for mass exploitation makes an attempt.
Shortly after, in November, one other RCE bug reared its head in Confluence Information Middle and Server that had been exploited as a zero-day within the wild, initially listed with a 9.1 CVSS rating. Nonetheless, a glut of energetic ransomware and different cyberattacks after patches have been launched prompted Atlassian to up the severity rating to 10.
That very same month, Atlassian revealed that the Bamboo steady integration (CI) and steady supply (CD) server for software program growth, in addition to Confluence Information Middle and Server, have been each susceptible to one more max-severity subject — this time within the Apache Software program Basis’s (ASF) ActiveMQ message dealer (CVE-2023-46604, CVSS 10). The bug, which was weaponized as an “n-day” bug, was additionally rapidly furnished with PoC exploit code, permitting a distant attacker to execute arbitrary instructions on affected programs. Atlassian has launched fixes for each platforms.
