Atlassian has revealed security advisories for 4 essential distant code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, together with a companion app for macOS.
All security points addressed acquired a critical-severity rating of no less than 9.0 out of 10, primarily based on Atlassian’s inside evaluation. Nonetheless, the corporate advises firms to guage applicability based on their IT atmosphere.
The corporate marked not one of the security points as being exploited within the wild. Nonetheless, because of the recognition of Atlassian merchandise and their intensive deployment in company environments, system directors ought to prioritize making use of the out there updates.
The set of 4 RCE vulnerabilities addressed this month are acquired the next identifiers:
- CVE-2023-22522: Template injection flaw permitting authenticated customers, together with these with nameless entry, to inject unsafe enter right into a Confluence web page (essential, with a 9.0 severity rating). The flaw impacts all Confluence Data Heart and Server variations after 4.0.0 and as much as 8.5.3.
- CVE-2023-22523: Privileged RCE in Belongings Discovery agent impacting Jira Service Administration Cloud, Server, and Data Heart (essential, with a 9.8 severity rating). Susceptible Asset Discovery variations are something under 3.2.0 for Cloud and 6.2.0 for Data Heart and Server.
- CVE-2023-22524: Bypass of blocklist and macOS Gatekeeper on the companion app for Confluence Server and Data Heart for macOS, impacting all variations of the app previous to 2.0.0 (essential, with a 9.6 severity rating).
- CVE-2022-1471: RCE in SnakeYAML library impacting a number of variations of Jira, Bitbucket, and Confluence merchandise (essential, with a 9.8 severity rating).
To deal with all 4 of the above issues, customers are advisable to replace to one of many following product variations:
- Confluence Data Heart and Server 7.19.17 (LTS), 8.4.5, and eight.5.4 (LTS)
- Jira Service Administration Cloud (Belongings Discovery) 3.2.0 or later, and Jira Service Administration Data Heart and Server (Belongings Discovery) 6.2.0 or later.
- Atlassian Companion App for MacOS 2.0.0 or later
- Automation for Jira (A4J) Market App 9.0.2, and eight.2.4
- Bitbucket Data Heart and Server 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Heart Solely), and eight.16.0 (Data Heart Solely)
- Confluence Cloud Migration App (CCMA) 3.4.0
- Jira Core Data Heart and Server, Jira Software program Data Heart and Server 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS)
- Jira Service Administration Data Heart and Server 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS)
If uninstalling Asset Discovery brokers to use the patch for CVE-2023-22523 shouldn’t be potential in the intervening time or must be delayed, Atlassian supplies a brief mitigation that consists in blocking the port used for communication with brokers, which by default is 51337.
Within the case of CVE-2023-22522, there isn’t a mitigation resolution. If directors can’t apply the patch instantly, Atlassian recommends directors to backup affected cases and take them offline.
If directors are unable to use the patch for CVE-2023-22524, the corporate recommends uninstalling the Atlassian Companion App.
