www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITIES IN MULTIPLE ATLASSIAN PRODUCT VERSIONS, RCE POSSIBLE. PATCH IMMEDIATELY!

Reference: 
Advisory #2023-147
Version: 
1.0
Affected software: 
Multiple Atlassian product versions
Type: 
Deserialization flaw, Template injection, Websockets vulnerability, Assets discovery
CVE/CVSS: 

CVE-2022-1471 (9.8 CRITICAL - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2023-22522 (9.0 CRITICAL - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2023-22524 (9.6 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVE-2023-22523 (9.8 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Datum: 
07/12/2023

Sources

Atlassian

Risks

On 06/12/2023, Atlassian published security advisories for critical vulnerabilities in multiple versions of its software products that can lead to remote code execution (RCE) when exploited by a malicious actor.

Compromise could have high impact on confidentiality, integrity and availability.

Vulnerability

Affected products

CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java.

(Atlassian Cloud sites are not affected by this vulnerability according to Atlassian)
  • Automation for Jira app (including Server Lite edition)
  • Bitbucket Data Center
  • Bitbucket Server
  • Confluence Data Center
  • Confluence Server
  • Confluence Cloud Migration App
  • Jira Core Data Center
  • Jira Core Server
  • Jira Service Management Data Center
  • Jira Service Management Server
  • Jira Software Data Center
  • Jira Software Server
     

CVE-2023-22522 is a Template Injection vulnerability.  Allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page.

(Atlassian Cloud sites are not affected by this vulnerability according to Atlassian)

 
  • Confluence Data Center
  • Confluence Server
     

CVE-2023-22524 is a WebSockets vulnerability.  Allows an attacker to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper.

(Atlassian Confluence Data Center and Server or Cloud sites and the Atlassian Companion App for Windows are not impacted by this vulnerability)

 
  • Atlassian Companion App for MacOS (for Confluence Server and Confluence Data Center)
     

CVE-2023-22523 is a vulnerability between the Assets Discovery application and Assets Discovery agent.

 
  • Assets Discovery (for Jira Service Management Cloud, Jira Service Management Server, and Jira Service Management Data Center)

 

Description

All vulnerabilities listed in this advisory are critical ones and can lead to remote code execution (RCE) on vulnerable systems when exploited.

Recommended Actions

Patches exist for all vulnerabilities.

Except for CVE-2023-22524 - for which the patch should be installed automatically during runtime - administrators of affected systems are advised to patch to the latest versions.

In the case of CVE-2023-22523, an uninstall of the Assets Discovery agent is required and a subsequent re-install after applying a patch to the Assets Discovery application.

The Centre for Cyber Security Belgium strongly recommends checking if all installed Atlassian product versions are listed in the fixed version lists available on the Atlassian support site.

Administrators are urged to take immediate action and upgrade to the latest software version where needed.

References

NIST