RCE Vulnerabilities Identified in Multiple Atlassian Products

Posted on 12.06.2023
-
Written by Micah Walstein
-

Summary of this issue

Atlassian has recently identified four critical vulnerabilities affecting users of the products listed below. Each of these vulnerabilities has been assigned a critical CVSS score of 9.0 or higher, indicating their severity. It is of utmost importance that customers promptly take action to secure their instances against potential threats.

We recommend you thoroughly examine all Critical Security Advisories relevant to your Atlassian product(s). This review will help verify affected versions and provide essential instructions for safeguarding your systems. Your immediate attention to this matter is highly appreciated to ensure the security of your environment.

These vulnerabilities were discovered via an internal security review at Atlassian as part of ongoing continuous security assessments.

Products Impacted

Bitbucket Data Center and Server

  • CVE-2022-1471 – SnakeYAML library remote code execution (RCE) vulnerability impacts multiple products
Impacted VersionsRecommended Action
7.17.x, 7.18.x, 7.19.x, 7.20.x, 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 7.21.14, 7.21.15, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.11.0, 8.11.1, 8.11.2, 8.12.0Patch to the following fixed versions or later
7.21.16 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.8.7, 8.9.4 (LTS)

There are no mitigations available for this vulnerability. Upgrading immediately is highly recommended.

Confluence Data Center and Server

  • CVE-2023-22522 – RCE vulnerability in Confluence Data Center and Server
  • CVE-2022-1471 – SnakeYAML library RCE vulnerability impacts multiple products
  • CVE-2023-22524 – RCE vulnerability in Atlassian Companion App for MacOS (including former customers)
Impacted VersionsRecommended Action
6.13.x, 6.14.x, 6.15.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x, 7.11.x, 7.12.x, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.13.13, 7.13.14, 7.13.15, 7.13.16, 7.13.17, 7.14.x, 7.15.x, 7.16.x, 7.17.x, 7.18.x, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.19.8, 7.19.9, 7.20.x, 8.0.x, 8.1.x, 8.2.x, 8.3.0Patch to the following fixed versions or later
7.19.17 (LTS), 8.4.5, 8.5.4 (LTS), 8.6.2, 8.7.0

There are no mitigations available for this vulnerability. Upgrading immediately is highly recommended.

Atlassian Companion App for MacOS

  • CVE-2023-22524 – RCE vulnerability in Atlassian Companion App for MacOS (including former customers)
Impacted VersionsRecommended Action
All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.Patch to the following fixed version or later
2.0.0

If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.

Jira Service Management, Jira Software, Jira Core Data Center and Server

  • CVE-2022-1471 – SnakeYAML library remote code execution (RCE) vulnerability impacts multiple products
ProductImpacted VersionsRecommended Action
Jira Service Management5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.5.x, 5.6.x, 5.7.x, 5.8.x, 5.9.x, 5.10.x, 5.11.0, 5.11.1Patch to the following fixed versions or later
5.11.2, 5.12.0 (LTS), 5.4.13 (LTS)
Jira Software and Jira Core9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11, 9.4.12, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.x, 9.10.x, 9.11.0, 9.11.1Patch to the following fixed versions or later
9.11.2, 9.12.0 (LTS), 9.4.13 (LTS)

If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).

Jira Service Management Assets Discovery

ProductImpacted VersionsRecommended Action
Jira Service Management Cloud Assets DiscoveryInsight Discovery 1.0 – 3.1.3
Assets Discovery 3.1.4 – 3.1.7
Assets Discovery 3.1.8-cloud – 3.1.11-cloud
Patch to the following fixed versions or later
Assets Discovery 3.2.0-cloud
Jira Service Management DC/Server Assets DiscoveryInsight Discovery 1.0 – 3.1.7
Assets Discovery 3.1.9 – 3.1.11
Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8
Patch to the following fixed versions or later
Assets Discovery 6.2.9

Automation for Jira (A4J)

  • CVE-2022-1471 – SnakeYAML library remote code execution (RCE) vulnerability impacts multiple products
Impacted VersionsRecommended Action
9.0.1, 9.0.0, <=8.2.2Patch to the following fixed version or later
9.0.2, 8.2.4

Upgrade via the Universal Plugin Manager (UPM).

How to avoid future risks?

1. Migrate to Atlassian Cloud

At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.

2. Stay Up To Date

Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date. For Oxalis customers on the Data Center versions of Atlassian products, we perform regular updates including emergency patching to address vulnerabilities.

3. Build Security At Depth

While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.

We’re Here To Help

If you require assistance in determining your vulnerability status related to these vulnerabilities, our award winning team is available to provide support. Oxalis, comprising technology consultants and product leaders operating in highly compliant sectors, prioritizes security as a fundamental aspect of our operations. Our commitment to security goes beyond just reacting to vulnerabilities; it’s an integral part of our firm’s ethos.

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: