Atlassian Patches Critical Vulnerabilities in Multiple Products (CVE-2022-1471, CVE-2023-22522, CVE-2023-22523, & CVE-2023-22524)

Qualys Security Advisory

Atlassian has released security updates to address four critical vulnerabilities tracked as CVE-2022-1471, CVE-2023-22522, CVE-2023-22523, and CVE-2023-22524. On successful exploitation, all four vulnerabilities allow remote code execution. The vulnerabilities affect products, including Confluence, Jira, Bitbucket servers, and a companion app for macOS.

Atlassian has not warned about the active exploitation of any of the vulnerabilities.

Vulnerability Details

CVE-2023-22522: Confluence Data Center and Confluence Server Remote Code Execution Vulnerability

The vulnerability has a CVSS score of 9. An authenticated attacker, including one with anonymous access, can insert unauthorized user input into a Confluence page by using the Template Injection vulnerability. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on target instances.

CVE-2023-22523: Assets Discovery Remote Code Execution Vulnerability

The vulnerability has a CVSS score of 9.8. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. Assets Discovery is a stand-alone network scanning tool that works with Jira Service Management Cloud, Data Centre, or Server and can be downloaded from the Atlassian Marketplace. It can also be utilized without an agent.

Successful exploitation of the vulnerability may allow an attacker to perform privileged Remote Code Execution on instances with the Assets Discovery agent installed.

CVE-2023-22524: Atlassian Companion App for MacOS Remote Code Execution Vulnerability

The vulnerability has a CVSS score of 9.6. An attacker may use WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to perform code execution. The Atlassian Companion App is an optional desktop application that enhances the file editing experience in the Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances.

CVE-2022-1471: SnakeYAML Library Remote Code Execution Vulnerability

The vulnerability has a CVSS score of 9.8. The deserialization flaw in the SnakeYAML library for Java may allow an attacker to perform remote code execution on target instances. The SnakeYAML library is used in various Atlassian Data Center and Server products, including Bitbucket Server, Jira Service Management Data Center, Jira Software Data Center, and Bitbucket Server.

Affected Products & Versions

CVE-2023-22522:

  • Confluence Data Center and Server: 4.x.x, 5.x.x, 6.x.x, 7.x.x, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.5., 8.5.1, 8.5.2, 8.5.3
  • Confluence Data Center: 8.6.0, 8.6.1

CVE-2023-22523:

Jira Service Management Cloud:

  • Insight Discovery 1.0 – 3.1.3
  • Assets Discovery 3.1.4 – 3.1.7
  • Assets Discovery 3.1.8-cloud – 3.1.11-cloud

Jira Service Management Data Center and Server:

  • Insight Discovery 1.0 – 3.1.7
  • Assets Discovery 3.1.9 – 3.1.11
  • Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8

CVE-2023-22524:

Atlassian Companion App for MacOS:

All versions (MacOS) up to but not including 2.0.0

CVE-2022-1471:

Automation for Jira (A4J) Marketplace App and Automation for Jira (A4J) – Server Lite Marketplace App:

  • 9.0.1
  • 9.0.0
  • <= 8.2.2

Bitbucket Data Center and Server:

7.17.x, 7.18.x, 7.19.x, 7.20.x, 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10 7.21.11, 7.21.12, 7.21.13, 7.21.14, 7.21.15, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.11.0, 8.11.1, 8.11.2, 8.12.0

Confluence Data Center and Server:

6.13.x, 6.14.x, 6.15.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x, 7.7.x, 7.8.x, 7.9.x, 7.10.x, 7.11.x, 7.12.x, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.13.13, 7.13.14, 7.13.15, 7.13.16, 7.13.17, 7.14.x, 7.15.x, 7.16.x, 7.17.x, 7.18.x, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.19.8, 7.19.9, 7.20.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.0

Confluence Cloud Migration App (CCMA):

Plugin versions lower than 3.4.0

Jira Core Data Center and Server and Jira Software Data Center and Server:

9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11, 9.4.12, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.x, 9.10.x, 9.11.0, and 9.11.1

Jira Service Management Data Center and Server:

5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.5.x, 5.6.x, 5.7.x, 5.8.x, 5.9.x, 5.10.x, 5.11.0, 5.11.1

Mitigation

CVE-2023-22522:

Confluence Data Center and Server:

  • 7.19.17 (LTS)
  • 8.4.5
  • 8.5.4 (LTS)

Confluence Data Center:

  • 8.6.2 or later (Data Center Only)
  • 8.7.1 or later (Data Center Only)

Please refer to the CONFSERVER-93502 for more information.

CVE-2023-22523:

Jira Service Management Cloud:

  • Assets Discovery 3.2.0-cloud or later

Jira Service Management Data Center and Server:

  • Assets Discovery 6.2.0 or later

Please refer to the JSDSERVER-14925 for more information.

CVE-2023-22524:

Atlassian Companion App for MacOS:

  • 2.0.0 or later

Please refer to the CONFSERVER-93518 for more information.

CVE-2022-1471:

Automation for Jira (A4J) Marketplace App and Automation for Jira (A4J) – Server Lite Marketplace App:

  • 9.0.2
  • 8.2.4

Bitbucket Data Center and Server:

  • 7.21.16 (LTS)
  • 8.8.7
  • 8.9.4 (LTS)
  • 8.10.4
  • 8.11.3
  • 8.12.1
  • 8.13.0
  • 8.14.0
  • 8.15.0 (Data Center Only)
  • 8.16.0 (Data Center Only)

Confluence Cloud Migration App (CCMA):

  • 3.4.0

Jira Core Data Center and Server and Jira Software Data Center and Server:

  • 9.11.2
  • 9.12.0 (LTS)
  • 9.4.14 (LTS)

Jira Service Management Data Center and Server:

  • 5.11.2
  • 5.12.0 (LTS)
  • 5.4.14 (LTS)

Please refer to the Atlassian Security Advisory for more information.

Qualys Detection

Qualys customers can scan their devices with QID 730999 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html
https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html

READ MORE