WARNING: CRITICAL VULNERABILITIES IN MULTIPLE ATLASSIAN PRODUCT VERSIONS, RCE POSSIBLE. PATCH IMMEDIATELY!
CVE-2022-1471 (9.8 CRITICAL - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-22522 (9.0 CRITICAL - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-22524 (9.6 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVE-2023-22523 (9.8 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Atlassian
- https://confluence.atlassian.com/security/december-2023-security-advisor...
- https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-librar...
- https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerabili...
- https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerabili...
- https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerabili...
Risks
On 06/12/2023, Atlassian published security advisories for critical vulnerabilities in multiple versions of its software products that can lead to remote code execution (RCE) when exploited by a malicious actor.
Compromise could have high impact on confidentiality, integrity and availability.
Vulnerability |
Affected products |
CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java. (Atlassian Cloud sites are not affected by this vulnerability according to Atlassian) |
|
CVE-2023-22522 is a Template Injection vulnerability. Allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. (Atlassian Cloud sites are not affected by this vulnerability according to Atlassian)
|
|
CVE-2023-22524 is a WebSockets vulnerability. Allows an attacker to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper. (Atlassian Confluence Data Center and Server or Cloud sites and the Atlassian Companion App for Windows are not impacted by this vulnerability)
|
|
CVE-2023-22523 is a vulnerability between the Assets Discovery application and Assets Discovery agent.
|
|
Description
All vulnerabilities listed in this advisory are critical ones and can lead to remote code execution (RCE) on vulnerable systems when exploited.
Recommended Actions
Patches exist for all vulnerabilities.
Except for CVE-2023-22524 - for which the patch should be installed automatically during runtime - administrators of affected systems are advised to patch to the latest versions.
In the case of CVE-2023-22523, an uninstall of the Assets Discovery agent is required and a subsequent re-install after applying a patch to the Assets Discovery application.
The Centre for Cyber Security Belgium strongly recommends checking if all installed Atlassian product versions are listed in the fixed version lists available on the Atlassian support site.
Administrators are urged to take immediate action and upgrade to the latest software version where needed.
References
NIST