Dear customer, On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for its on-premise software products, the Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise. What you need to knowAtlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9., Atlassian issued a Security Advisory for .... The Cloud versions of the applications as well as other Atlassian products are not affected. What you need to know... Affected Versions Info |
---|
0 or higher, and customers must take immediate action to protect their instances. Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products Product | Affected Versions |
---|
Confluence Data Center and Server | 6.13.x 6.14.x 6.15.x 7.0.x 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x 7.7.x 7.8.x 7.9.x 7.10.x 7.11.x 7.12.x 7.13.0 7.13.1 7.13.2 7.13.3 7.13.4 7.13.5 7.13.6 7.13.7 7.13.8 7.13.9 7.13.10 7.13.11 7.13.12 7.13.13 7.13.14 7.13.15 7.13.16 7.13.17 7.14.x 7.15.x 7.16.x 7.17.x 7.18.x 7.19.0 7.19.1 7.19.2 7.19.3 7.19.4 7.19.5 7.19.6 7.19.7 7.19.8 7.19.9 7.20.x 8.0.x 8.1.x 8.2.x 8.3.0
| Jira Software Data Center and Server | 9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1
| Jira Service Management Data Center and Server | 5.4.0 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.4.10 5.4.11 5.4.12 5.5.x 5.6.x 5.7.x 5.8.x 5.9.x 5.10.x 5.11.0 5.11.1
| Jira Core Data Center and Server | 9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1
| Bitbucket Data Center and Server | 7.17.x 7.18.x 7.19.x 7.20.x 7.21.0 7.21.1 7.21.2 7.21.3 7.21.4 7.21.5 7.21.6 7.21.7 7.21.8 7.21.9 7.21.10 7.21.11 7.21.12 7.21.13 7.21.14 7.21.15 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.x 8.6.x 8.7.x 8.8.0 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.9.0 8.9.1 8.9.2 8.9.3 8.10.0 8.10.1 8.10.2 8.10.3 8.11.0 8.11.1 8.11.2 8.12.0
| Confluence Cloud Migration App (CCMA) | | Automation for Jira (A4J) app (including Server Lite edition) | |
Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server Product | Affected Versions |
---|
Confluence Data Center and Server | - 4.x.x
- 5.x.x
- 6.x.x
- 7.x.x
- 8.0.x
- 8.1.x
- 8.2.x
- 8.3.x
- 8.4.0
- 8.4.1
- 8.4.2
- 8.4.3
- 8.4.4
- 8.5.0
- 8.5.1
- 8.5.2
- 8.5.3
| Confluence Data Center | |
Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app) Product | Affected Versions |
---|
Assets Discovery (Jira Service Management Cloud) | Insight Discovery 1.0 - 3.1.3 Assets Discovery 3.1.4 - 3.1.7 Assets Discovery 3.1.8-cloud - 3.1.11-cloud
| Assets Discovery (Jira Service Management Data Center and Server) | Insight Discovery 1.0 - 3.1.7 Assets Discovery 3.1.9 - 3.1.11 Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8
|
Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS Product | Affected Versions |
---|
Atlassian Companion App for MacOS | All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability. |
Fixed Versions Note |
---|
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket. |
Product | Fixed Versions |
---|
Confluence Data Center and Server | | Jira Software Data Center and Server | 9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
| Jira Service Management Data Center and Server | 5.11.2 5.12.0 (LTS) 5.4.14 (LTS)
| Jira Core Data Center and Server | 9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
| Bitbucket Data Center and Server | | Confluence Cloud Migration App (CCMA) | | Automation for Jira (A4J) app (including Server Lite edition) | | Assets Discovery (Jira Service Management Cloud) | - Assets Discovery 3.2.0-cloud or later
| Assets Discovery (Jira Service Management Data Center and Server) | | Atlassian Companion App for MacOS | |
What should I do? - On-Premise ProductsWhat should I do? Localtab Group |
---|
Localtab |
---|
active | true |
---|
title | Confluence Server & Data Center |
---|
tabIcon | bvicon-server |
---|
| You use ... Data Center and Server UpdateTo address this issue, Atlassian released the following versions: ... Mitigationthe Server or Data Center variant of any Atlassian application in a version listed in Affected Versions. Update for Server & Data CenterUpdate to a version listed in Fixed Versions. Note |
---|
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket. |
Workaround for Server & Data CenterThere are currently no workarounds... |
Localtab |
---|
title | Atlassian Confluence Cloud |
---|
tabIcon | bvicon-cloud |
---|
| You use Assets Discovery (standalone app) in Jira Service Management Cloud Note |
---|
Update to Assets Discovery 3. | .. Cloud Tip |
---|
If you don't use Assets Discovery (standalone app) you You are not affected by this Security Advisory. No need for actionthe vulnerability. |
Localtab |
---|
title | bitvoodoo Cloud |
---|
tabIcon | bvicon-cloud |
---|
| You use ... on servers operated by bitvoodoo Mitigation...
|
| UpdateJira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo. Update for bitvoodoo CloudLTS Update Package Customers will get |
| contacted discuss the need and planning of an updatethe latest LTS release free of charge as soon as possible. bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update. Workaround for bitvoodoo CloudThere are currently no workarounds. |
|
Support If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch. |