Atlassian has released urgent patches for several of its products to fix remote code execution and denial-of-service vulnerabilities. Flaws in Atlassian products have been exploited by hackers before, including shortly after a patch was released or even before a fix was available.
In October, Atlassian released an emergency fix for a broken access control issue (CVE-2023-22515) affecting on-premises versions of Confluence Server and Confluence Data that allowed unauthenticated attackers to create administrator accounts. The vulnerability was already being exploited in the wild as a zero-day when the company released the patch.
In early November, attackers started exploiting another critical improper authorization vulnerability (CVE-2023-22518) in Confluence Data Center and Server only a few days after the patch was released. Older Confluence flaws that were exploited as zero-days or n-days by multiple groups of attackers include CVE-2022-26134, CVE-2021-26084, and CVE-2019-3396. Customers are therefore urged to apply the newly released December patches as soon as possible.
Confluence template injection and deserialization flaws
One of the critical vulnerabilities patched last week allows anonymous authenticated attackers to inject unsafe code into pages on affected instances of Confluence Data Center and Confluence Server. Atlassian catalogs this flaw (CVE-2023-22522) as a template injection issue and warns that it can lead to remote code execution on the server.
The flaw affects all versions of Confluence Data Center and Server starting with 4.0.0 as well as standalone versions of Confluence Data Center 8.6.0 and 8.6.1. Many of the affected versions have reached end-of-life and are no longer supported. The company advises users of Confluence Server to upgrade to version 7.19.17 (LTS), 8.4.5 or 8.5.4 (LTS) and Confluence Data Center users to upgrade to version 8.6.2 or 8.7.1. The vulnerability has no other mitigations, but Atlassian advises customers to back up their instance and remove it from the internet if they can’t patch immediately.
Another critical vulnerability patched last week stems from a Java deserialization issue inherited from a third-party parsing library called SnakeYAML. This vulnerability is tracked as CVE-2022-1471 and was patched in SnakeYAML a year ago. Since then, three other flaws, two high severity and one critical, have been reported in SnakeYAML.
It’s not clear why Atlassian is only publishing an advisory now, but the list of affected products is extensive. They include:
- Automation for Jira app (including Server Lite edition)
- Bitbucket Data Center
- Bitbucket Server
- Confluence Data Center
- Confluence Server
- Confluence Cloud Migration App
- Jira Core Data Center
- Jira Core Server
- Jira Service Management Data Center
- Jira Service Management Server
- Jira Software Data Center
- Jira Software Server
Some Jira deployments are only affected if a vulnerable version of the Automation for Jira (A4J) application is also installed. Meanwhile Confluence instances are affected if they run a vulnerable version of the Confluence Cloud Migration Assistant (CCMA) app. This app is installed by default. Atlassian provides more information about each affected product and the scenarios in which they are vulnerable in a FAQ document that accompanies the advisory.
Remote code execution in Jira companion apps
Another remote code execution (CVE-2023-22523) was fixed in the Assets Discovery tool that can be used with Jira Service Management Cloud, Jira Service Management Server and Jira Service Management Data Center. Assets Discovery (formerly known as Insight Discovery) is a standalone tool that can be installed from the Atlassian Marketplace and is used to scan the local network for hardware and software assets and collect information about them.
Atlassian advises customers to uninstall the Assets Discovery agents, apply the Assets Discovery patch, and then reinstall the agents. The Jira Service Management Cloud the company urges users to deploy Assets Discovery 3.2.0-cloud or later and for Jira Service Management Data Center and Server the Assets Discovery 6.2.0 or later.
A remote code execution flaw (CVE-2023-22524) was also patched in the Atlassian Companion App for MacOS. This is a companion desktop application that allows Mac users to edit files locally on their computers before uploading them to Confluence instances. As such, the RCE danger for this flaw refers to the macOS machine itself, not the Confluence server. Users are advised to upgrade the application to version 2.0.0 or later.
Atlassian advisories for high-severity data leaks and denial-of-service issues
Today, Atlassian published a new round of security advisories covering eight high-severity flaws in multiple products. These issues can lead to data exposure and denial-of-service conditions and were patched in new product releases over the past month. Some stem from third-party libraries.
The publishing of these issues, which were found through the company’s bug bounty program and internal pen-testing, marks a change in Atlassian’s vulnerability disclosure policy. Until now the company only disclosed first-party critical-severity vulnerabilities, but this has been expanded to high severity issues as well.
“While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities,” the company said. “Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.”
The eight high-severity issues are tracked as:
- CVE-2020-25649 (Jira Software Data Center and Server)
- CVE-2022-28366 (Jira Service Management Data Center and Server)
- CVE-2022-29546 (Jira Service Management Data Center and Server)
- CVE-2022-24839 (Jira Service Management Data Center and Server)
- CVE-2023-44487 (Crowd Data Center and Server)
- CVE-2021-31684 (Confluence Data Center and Server)
- CVE-2023-3635 (Bitbucket Data Center and Server)
- CVE-2023-5072 (Bamboo Data Center and Server)