What security update has Atlassian released?

Atlassian has released a security update addressing twelve significant vulnerabilities discovered through their Bug Bounty program, penetration testing, and third-party library scans. This includes five critical-severity and seven high-severity issues across their product suite.

What are the most critical vulnerabilities addressed?

The critical vulnerabilities include CVE-2024-50379 (CVSS 9.8), CVE-2024-56337 (CVSS 9.8), and CVE-2024-52316 (CVSS 9.8), all affecting Apache Tomcat Catalina in various Atlassian products. These vulnerabilities involve Remote Code Execution and Broken Authentication & Session Management issues.

What are the high-severity vulnerabilities fixed?

High-severity fixes include CVE-2024-7254 (CVSS 8.7) in Google Protobuf Java, CVE-2024-47072 (CVSS 7.5) in XStream, CVE-2024-47561 (CVSS 7.3) in Apache Avro, and CVE-2022-25927 (CVSS 7.5) in ua-parser.js, affecting various Atlassian products.

What are the patched versions released by Atlassian?

Atlassian has released the following patched versions: Bamboo 10.2.1 (LTS) for Data Center, Bitbucket 8.19.11 to 8.19.15 (LTS) for Data Center, Confluence 9.2.1 (LTS) for Data Center, Crowd 6.2.2 for Data Center, and Jira 9.12.15 (LTS).

Advisory

Atlassian patches multple products, fixes critical dependency flaws in Confluence and Crowd

published: Feb. 21, 2025

Take action: If you are running self-hosted Atlassian Confluence or Crowd, plan a quick update. The products carry critical flaw in the underlying Tomcat, and if they are exposed on the internet they will be hacked. Previous Confluence flaws have already been used as an attack vector multiple times - even to hack a hacker group.

Learn More

Atlassian has released a security update addressing multiple critical and high-severity vulnerabilities across their product suite. The update covers twelve significant vulnerabilities, including five critical-severity and seven high-severity issues discovered through their Bug Bounty program, penetration testing processes, and third-party library scans.

Critical Vulnerabilities:

CVE-2024-50379 (CVSS score 9.8) - Remote Code Execution vulnerability in Apache Tomcat Catalina, affecting Confluence and Crowd Data Center and Server
CVE-2024-56337 (CVSS score 9.8) - Remote Code Execution vulnerability in Apache Tomcat Catalina, affecting Confluence and Crowd Data Center and Server
CVE-2024-52316 (CVSS score 9.8) - Broken Authentication & Session Management vulnerability in Apache Tomcat Catalina, affecting Crowd Data Center and Server

High Severity Vulnerabilities:

CVE-2024-7254 (CVSS score 8.7) - Denial of Service vulnerability in Google Protobuf Java affecting Bamboo and Jira Data Center and Server
CVE-2024-47072 (CVSS score 7.5) - Denial of Service vulnerability in XStream affecting Bamboo Data Center and Server
CVE-2024-47561 (CVSS score 7.3) - Remote Code Execution vulnerability in Apache Avro affecting Bitbucket Data Center and Server
CVE-2022-25927 (CVSS score 7.5) - Denial of Service vulnerability in ua-parser.js affecting Crowd Data Center

Atlassian has released patched versions for all affected products:

Bamboo: 10.2.1 (LTS) for Data Center
Bitbucket: 8.19.11 to 8.19.15 (LTS) for Data Center
Confluence: 9.2.1 (LTS) for Data Center
Crowd: 6.2.2 for Data Center
Jira: 9.12.15 (LTS)

Atlassian strongly recommends users upgrade to the latest versions of their products to address these vulnerabilities.

Atlassian patches multple products, fixes critical dependency flaws in Confluence and Crowd

Read More
Amazon Q developer extension for VS Code compromised, …
Vulnerabilities reported in Cacti framework, one critical remote …
Hackers are exploiting the public PoC to hack …
Critical vulnerability reported in Jinjava template engine, enables …
Intel patch release fixes over 100 issues including …