Atlassian recently published information about the elimination of four critical vulnerabilities of remote code (RCE) that affect the servers Confluence, Jira, and Bitbucket, as well as the accompanying application for MacOS.
The safety problems were evaluated as critical, scoring at least 9.0 out of 10 on Atlassian’s internal scale. However, the company advises organizations to assess their relevance independently based on their IT environment.
Currently, none of the vulnerabilities have been exploited by attackers. Nevertheless, due to the popularity and widespread use of Atlassian products in corporate environments, system administrators should prioritize early system updates.
The following are the remote code vulnerabilities eliminated by Atlassian this month:
- Cve-2023-22522: This vulnerability involves templates injection in Confluence, enabling authenticated users (including anonymous users) to enter unsafe data into Confluence pages. It affects all versions of Confluence Data Center and Server after 4.0.0 until 8.5.3 (estimated 9.0).
- Cve-2023-22524: This vulnerability bypasses the Gatekeeper macOS block and protection in the Companion application for Confluence Server and Data Center for MacOS. It affects all versions of the application up to 2.0.0.
- Cve-2022-1471: This vulnerability involves RCE in the Snakeyaml library, affecting multiple versions of Jira, Bitbucket, and Confluence products.
Atlassian has also provided temporary measures if immediate software updates are not possible.
For CVE-2023-22523 vulnerabilities, where temporarily deleting Asset Discovery agents is not feasible, Atlassian suggests blocking the port used to communicate with agents (default port 51337). For CVE-2023-22522, if it is not possible to immediately apply a patch