Brother
Professional
- Messages
- 2,590
- Reaction score
- 532
- Points
- 113
All security flaws were rated higher than 9 points. Are you sure the fix can wait?
Atlassian recently published newsletters about the elimination of four critical remote code execution (RCE) vulnerabilities affecting the Confluence, Jira and Bitbucket servers, as well as the accompanying application for macOS.
These security issues were rated critical, with a score of at least 9.0 out of 10 on the Atlassian internal scale. However, the company recommends that organizations evaluate their relevance independently in accordance with their IT environment.
None of the vulnerabilities, according to the company, are yet exploited by intruders. However, given the popularity of Atlassian products and their widespread use in enterprise environments, system administrators should make early system updates their top priority.
Remote code execution vulnerabilities addressed by Atlassian this month were identified as follows:
Atlassian has also provided a number of temporary measures if it is not immediately possible to update the software.
So, if you can't temporarily remove Asset Discovery agents to fix the CVE-2023-22523 vulnerability, Atlassian suggests blocking the port used for communicating with agents (by default, 51337). There are no temporary measures for CVE-2023-22522, so if the patch cannot be applied immediately, Atlassian recommends that administrators back up the affected instances and disable them. In the case of the CVE-2023-22524 vulnerability, the company recommends banal removal of the Atlassian Companion App if it is not possible to install the update.
Atlassian recently published newsletters about the elimination of four critical remote code execution (RCE) vulnerabilities affecting the Confluence, Jira and Bitbucket servers, as well as the accompanying application for macOS.
These security issues were rated critical, with a score of at least 9.0 out of 10 on the Atlassian internal scale. However, the company recommends that organizations evaluate their relevance independently in accordance with their IT environment.
None of the vulnerabilities, according to the company, are yet exploited by intruders. However, given the popularity of Atlassian products and their widespread use in enterprise environments, system administrators should make early system updates their top priority.
Remote code execution vulnerabilities addressed by Atlassian this month were identified as follows:
- CVE-2023-22522: Template injection vulnerability in Confluence that allows authenticated users, including anonymous users, to enter insecure data on a Confluence page. Affects all versions of Confluence Data Center and Server after 4.0.0 and before 8.5.3 (rating 9.0).
- CVE-2023-22523: Privileged RCE in the Jira Service Management Cloud, Server, and Data Center Asset Discovery Agent. Asset Discovery versions below 3.2.0 for Cloud and 6.2.0 for Data Center and Server are vulnerable (rating 9.8).
- CVE-2023-22524: Bypassing the Gatekeeper macOS block list and protection in the companion app for Confluence Server and Data Center for macOS. Affects all app versions prior to 2.0.0 (rating 9.6).
- CVE-2022-1471: RCE in the SnakeYaml library affecting multiple versions of Jira, Bitbucket, and Confluence products (score 9.8).
Atlassian has also provided a number of temporary measures if it is not immediately possible to update the software.
So, if you can't temporarily remove Asset Discovery agents to fix the CVE-2023-22523 vulnerability, Atlassian suggests blocking the port used for communicating with agents (by default, 51337). There are no temporary measures for CVE-2023-22522, so if the patch cannot be applied immediately, Atlassian recommends that administrators back up the affected instances and disable them. In the case of the CVE-2023-22524 vulnerability, the company recommends banal removal of the Atlassian Companion App if it is not possible to install the update.
