What are the critical vulnerabilities addressed by Atlassian's recent updates?

Atlassian has issued updates for four critical vulnerabilities: CVE-2022-1471, a deserialization issue in the SnakeYAML library; CVE-2023-22522, a remote code execution flaw in Confluence Data Center and Server; CVE-2023-22523, affecting Assets Discovery for Jira Service Management; and CVE-2023-22524, a vulnerability in the Atlassian Companion app for macOS.

What versions of Atlassian products are affected by these vulnerabilities?

Affected Atlassian products include various versions of Confluence Data Center and Server, Jira Service Management Cloud and Data Center, the Atlassian Companion App for macOS, Automation for Jira Marketplace App, Bitbucket Data Center and Server, Confluence Cloud Migration App, and Jira Core and Software Data Center and Server.

What are the recommended versions to update to for fixing these vulnerabilities?

To fix these vulnerabilities, users should update to Confluence Data Center and Server 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS); Jira Service Management Cloud (Assets Discovery) 3.2.0 or later; Jira Service Management Data Center and Server (Assets Discovery) 6.2.0 or later; Atlassian Companion App for MacOS 2.0.0 or later; Automation for Jira (A4J) Marketplace App 9.0.2, and 8.2.4; Bitbucket Data Center and Server 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Center Only), and 8.16.0 (Data Center Only); Confluence Cloud Migration App (CCMA) 3.4.0; Jira Core Data Center and Server, Jira Software Data Center and Server 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS); and Jira Service Management Data Center and Server 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS).

Why is it urgent to patch these vulnerabilities in Atlassian products?

It is urgent to patch these vulnerabilities because many Atlassian products are accessible on the internet and have been used to attack various systems, including hacker platforms. The recent critical advisories by Atlassian highlight the need for immediate action.

Advisory

Atlassian fixes multiple critical vulnerabilities in their products

published: Dec. 6, 2023

Take action: Atlassian products are an extremely high risk at the moment, and these vulnerabilities are very exploitable. Expect a massive hacking campaign. Lock them down from the public internet, then patch IMMEDIATELY. If you can't patch them don't consider the firewall a sufficient protection. Backup the apps, then remove them from PCs and take the server systems offline.

Learn More

Atlassian has issued updates to rectify four critical vulnerabilities in its software that could lead to remote code execution if exploited. These vulnerabilities are as follows:

CVE-2022-1471 (CVSS score 9.8), is a deserialization issue in the SnakeYAML library affecting multiple products.
CVE-2023-22522 (CVSS score 9.0), is a remote code execution flaw in Confluence Data Center and Confluence Server, impacting versions 4.0.0 and later. This is a template injection vulnerability allowing attackers, even anonymously, to execute code via unsafe user input on a Confluence page.
CVE-2023-22523 (CVSS score 9.8), affects Assets Discovery for Jira Service Management Cloud, Server, and Data Center, relevant to all versions up to 3.2.0-cloud / 6.2.0 data center and server.
CVE-2023-22524 (CVSS score 9.6), is found in the Atlassian Companion app for macOS, impacting versions before 2.0.0. It enables attackers to circumvent security measures in macOS through WebSocket use.

To remediate the vulnerabilities, users are advised to update their software to the following versions:

Confluence Data Center and Server: Versions 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS).
Jira Service Management Cloud (Assets Discovery): Version 3.2.0 or higher, and Jira Service Management Data Center and Server (Assets Discovery): Version 6.2.0 or higher.
Atlassian Companion App for MacOS: Version 2.0.0 or higher.
Automation for Jira (A4J) Marketplace App: Versions 9.0.2, and 8.2.4.
Bitbucket Data Center and Server: Versions 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Center Only), and 8.16.0 (Data Center Only).
Confluence Cloud Migration App (CCMA): Version 3.4.0.
Jira Core Data Center and Server, Jira Software Data Center and Server: Versions 9.11.2, 9.12.0 (LTS), and 9.4.14 (LTS).
Jira Service Management Data Center and Server: Versions 5.11.2, 5.12.0 (LTS), and 5.4.14 (LTS).

This is another in a set of critical advisories by Atlassian, which need to be patched ASAP. A lot of Atlassian products are accessible on the internet to provide access for customers, and so far were used to attack various systems, including hacker platforms.

Atlassian fixes multiple critical vulnerabilities in their products

Read More
Critical unauthenticated SQL Injection flaw reported in on-premise …
Unpatched command Injection flaw reported in Trendnet TEW-713RE …
NVIDIA patches critical flaws in Triton AI Server
Critical remote code execution flaw in Ollama AI …
Critical authentication bypass vulnerability in AMI MegaRAC BMC …