Table of Contents
Yesterday evening brought news from Atlassian, who announced the discovery of four new CVEs impacting a wide array of their tools. This update, while adding to the growing list of CVEs, is notable for the extensive range of affected products.
This discussion will focus on understanding these CVEs, evaluating their potential impact, and outlining proactive measures to safeguard your systems.
The regularity of CVEs isn’t unusual, but what stands out this time is the broad spectrum of products they impact.
What’s the Problem? Atlassian CVE Mitigation:
Atlassian’s notification about four new CVEs impacting their range of products, including Bitbucket, Confluence, and Jira, has put users on high alert. These CVEs allow for Remote Code Execution (RCE), meaning attackers can potentially control affected systems remotely, leading to serious security breaches.
- CVE-2022-1471: Found in the SnakeYaml library, this CVE allows attackers to execute code remotely by exploiting the deserialization process.
- CVE-2023-22522: A vulnerability specific to Confluence, enabling unauthorized remote code execution.
- CVE-2023-22523: Related to Assets Discovery, this CVE allows attackers to exploit the system without needing user interaction.
- CVE-2023-22524: Affects the Atlassian Companion App for MacOS, enabling attackers to run malicious code on the system.
Upgrading to the safe versions is crucial to protect your systems from potential exploits arising from these vulnerabilities. Users are advised to plan and execute these upgrades as soon as possible, following best practices for software updates and security patches.
Here is a list of Safe and Unsafe versions by system:
Bitbucket Data Center & Server:
| Status | Versions |
|---|---|
| Impacted | 7.20-7.17, 7.21.15 and below, 8.7-8.0, 8.8.6-8.8.0, 8.9.3-8.9.0, 8.10.3-8.10.0, 8.11.2-8.11.0, 8.12.0 |
| Safe | 7.21.16, 8.8.7, 8.9.4, 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0, 8.16.0 |
Confluence Data Center & Server:
| Status | Versions |
|---|---|
| Impacted | 6.13.X – 6.15.X, 7.0.X – 7.12.X, 7.13.0 – 7.13.17, 7.14.X – 7.18.X, 7.19.0 – 7.19.9, 7.20.x, 8.0.x – 8.2.X, 8.3.0 |
| Safe | 7.19.17(LTS), 8.4.5, 8.5.4(LTS), 8.6.2, 8.7.1 |
Jira Core & Software Data Center and Server:
| Status | Versions |
|---|---|
| Impacted | 9.4.0-9.4.12, 9.5.x-9.10.x, 9.11.0, 9.11.1 |
| Safe | 9.11.2, 9.12.0 (LTS), 9.4.14 (LTS) |
Jira Service Management Data Center and Server:
| Status | Versions |
|---|---|
| Impacted | 5.4.0-5.4.12, 5.5.X-5.10.X, 5.11.0, 5.11.1 |
| Safe | 5.11.2, 5.12.0 (LTS), 5.4.14 (LTS) |
Automation for Jira:
| Status | Versions |
|---|---|
| Impacted | 9.0.1, 9.0.0, <= 8.2.2 |
| Safe | 8.2.4, 9.0.2, 9.0.3, 9.0.4 |
Confluence Cloud Migration App:
| Status | Versions |
|---|---|
| Impacted | < 3.4.0 |
| Safe | 3.4.0 or Better |
Assets Discovery (Jira Service Management):
| Status | Versions |
|---|---|
| Impacted | Insight Discovery 1.0 – 3.1.7, Assets Discovery 3.1.9 – 3.1.11, Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8 |
| Safe | Assets Discovery 6.2.0 or later |
Atlassian Companion App for MacOS:
| Status | Versions |
|---|---|
| Impacted | < 2.0.0 |
| Safe | 2.0.0 or later |
What do you need to do?
Rest assured; there are already fixes available for these issues, but not for all the CVEs. It’s crucial to integrate these updates into your system as soon as possible.
For the CVE-2022-1471 vulnerability, which affects multiple Atlassian Data Center and Server products due to a flaw in the SnakeYAML library, the primary mitigation is upgrading to a safe version. Atlassian Cloud sites are not affected by this vulnerability. The safe versions vary depending on the specific product.
For example:
- Automation for Jira (A4J) and Server Lite Marketplace App should be patched to version 9.0.2 or 8.2.4 or later.
- Bitbucket Data Center and Server should be upgraded to versions like 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), etc.
- Confluence Data Center and Server should be patched to versions such as 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS), and higher.
- For the Confluence Cloud Migration App (CCMA), patch to version 3.4.0 or later.
- Jira Core and Jira Software Data Center and Server should be updated to versions like 9.11.2 or later. If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
- Jira Service Management Data Center and Server requires an update to versions such as 5.11.2 or later. If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
Temporary mitigations – you can restrict internet access to the affected platforms until you patch/upgrade the systems.
You should always refer to Atlassian’s official documentation and advisories for the most accurate and detailed information about these vulnerabilities and the required actions. Remember, while patching, it’s advisable to first test the updates in a non-production environment to ensure compatibility and prevent any disruptions.
Staying vigilant and proactive in Atlassian CVE mitigation is key to ensuring the security and integrity of your systems. By regularly updating to the latest safe versions and following the recommended security practices, you can effectively safeguard your Atlassian tools against these critical vulnerabilities.
For those seeking clarity on the specific versions required for upgrading, it is advisable to consult Atlassian Support. Their team can provide expert guidance and assist in determining the appropriate version updates for your systems.