Atlassian has recently addressed critical vulnerabilities in their products, including a deserialization flaw in the SnakeYAML library for Java and remote code execution flaws in Confluence, Jira [1] [2] [3] [4], and the Atlassian Companion app for macOS [1] [2] [4]. Additionally, Apache ActiveMQ has a critical security flaw affecting Bamboo. These vulnerabilities pose a significant risk and require immediate attention.
Description
Atlassian has identified a deserialization flaw, known as CVE-2022-1471, in the SnakeYAML library for Java [2] [3]. This flaw can potentially lead to remote code execution in multiple products. Confluence instances with early versions of the CCMA app may be affected [3], as the app includes the vulnerable SnakeYAML library [3]. Even if a Confluence instance is running an unaffected version [3], it can still be vulnerable if an impacted early-version CCMA app is being used [3]. Furthermore, the vulnerability exists in a library used by all versions of the Automation for Jira app [3], bundled in Jira Core [3], Jira Software [3], and Jira Service Management [1] [2] [3] [4]. To mitigate this vulnerability [3], users are advised to upgrade their Automation for Jira (A4J) app to a fixed version [3]. It is important to note that Bamboo is not vulnerable to CVE-2022-1471 [3].
In addition to CVE-2022-1471, Atlassian has addressed other critical vulnerabilities. One of them, identified as CVE-2023-22522, is a remote code execution flaw in Confluence Data Center and Confluence Server [1] [2] [4]. This vulnerability allows attackers to inject unsafe user input into a Confluence page [2] [4]. Another vulnerability, known as CVE-2023-22523, is a remote code execution flaw in Assets Discovery for Jira Service Management Cloud [1] [2] [4], Server [1] [2] [3] [4], and Data Center [1] [2] [4]. Lastly, there is CVE-2023-22524, a remote code execution vulnerability in the Atlassian Companion app for macOS [1] [2] [4]. This vulnerability can be exploited by bypassing blocklist and macOS Gatekeeper protections using WebSockets [2].
Furthermore, Apache ActiveMQ has a critical security flaw (CVE-2023-46604) that affects Bamboo Data Center and Server products [2]. Atlassian has released patched versions to address this vulnerability and urges affected installations to update as soon as possible, given the increasing targeting of Atlassian products in recent years [4]. The severity of these vulnerabilities is high [1], with CVSS scores ranging from 9.0 to 10.0 [1]. Fixes have been released for some of these vulnerabilities [1], but users are advised to update their software to the latest versions to ensure their systems are secure [1].
Conclusion
These critical vulnerabilities in Atlassian products pose significant risks to users. It is crucial for users to take immediate action to mitigate these vulnerabilities by upgrading their software to the latest versions. Failure to do so may result in remote code execution and unauthorized access to sensitive information. As the targeting of Atlassian products continues to increase, it is essential for users to stay vigilant and keep their systems up to date to ensure the security of their data and infrastructure.
References
[1] https://ciso2ciso.com/atlassian-releases-critical-software-fixes-to-prevent-remote-code-execution-sourcethehackernews-com/
[2] https://thehackernews.com/2023/12/atlassian-releases-critical-software.html
[3] https://confluence.atlassian.com/kb/faq-for-cve-2022-1471-1295810798.html
[4] https://owasp.or.id/2023/12/06/atlassian-releases-critical-software-fixes-to-prevent-remote-code-execution/
