WARNING: HIGH SEVERITY SECURITY UPDATES FOR ATLASSIAN PRODUCTS RELEASED, PATCH IMMEDIATELY!
CVE-2024-21674:CVSS 8.6(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVE-2024-21672:CVSS 8.3(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVE-2024-21673:CVSS 8.0(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2020-26217:CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2018-10054:CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Remark: the overview above only shows the vulnerabilities with a CVSS score that is higher than 8.0. Please consult the Atlassian security Bulletin for a detailed overview of all vulnerabilities.
Sources
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
Risks
Atlassian has patched multiple vulnerabilities of different products, including Confluence Data Centre and Server that have the most severe ones. Here, successful exploitation of these vulnerabilities could lead to remote code execution. This poses a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information security. At the moment, these vulnerabilities are not actively exploited as these are discovered through their Bug Bounty program.
Description
Atlassian releases a high severity security update to address 28 vulnerabilities. The most severe ones could lead to remote code execution and are affecting Confluence Data Center and Server.
CVE-2024-21674: This vulnerability, with CVSS score of 8.6 affecting Confluence Data Center and Server, allows an unauthenticated attacker to achieve Remote Code Execution (RCE) without user interaction.
CVE-2024-21672: This vulnerability, with CVSS score of 8.3 affecting Confluence Data Center and Server, allows an unauthenticated attacker to achieve Remote Code Execution (RCE), where user interaction is required.
CVE-2024-21673: This vulnerability, with CVSS score of 8.0 affecting Confluence Data Center and Server, allows an authenticated attacker to achieve Remote Code Execution (RCE) without user interaction.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Atlassian addressed the issues in the following versions:
Bitbucket Data Center
- Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest
Bitbucket Server
- Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4
Bamboo Data Center and Server
- Patch to a minimum fix version of 9.2.9, 9.3.6, 9.4.2 or latest
Jira Data Center and Server
- Patch to a minimum fix version of 9.4.13, 9.7.0 or latest
Jira Service Management Data Center and Server
- Patch to a minimum fix version of 4.20.30, 5.4.15, 5.12.2 or latest
Crowd Data Center and Server
- Patch to a minimum fix version of 5.2.2 or latest
Confluence Data Center
- Patch to a minimum fix version of 7.19.18, 8.5.5, 8.7.2 or latest
Confluence Server
- Patch to a minimum fix version of 7.19.18, 8.5.5
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-21673
https://nvd.nist.gov/vuln/detail/CVE-2024-21674
https://nvd.nist.gov/vuln/detail/CVE-2024-21672