Page History
Warning |
---|
This is a public space: For the draft, please restrict the page during creation and |
English |
---|
Contents |
German |
---|
Inhalte |
Contenu |
Table of Contents |
---|
Page properties | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Multiple Products Security Advisory - CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523
English | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Dear customer, On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for its on-premise software products, the Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise. What you need to knowAtlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances. Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products
Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server
Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app) | |||||||||||||||||||||||||||||
Product | Affected Versions | ||||||||||||||||||||||||||||
Assets Discovery (Jira Service Management Cloud) |
| ||||||||||||||||||||||||||||
Assets Discovery (Jira Service Management Data Center and Server) |
| ||||||||||||||||||||||||||||
Product | Affected Versions | ||||||||||||||||||||||||||||
Atlassian Companion App for MacOS | All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability. |
Note |
---|
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket. |
Product | Fixed Versions |
---|---|
Confluence Data Center and Server |
|
Jira Software Data Center and Server |
|
Jira Service Management Data Center and Server |
|
Jira Core Data Center and Server |
|
Bitbucket Data Center and Server |
|
Confluence Cloud Migration App (CCMA) |
|
Automation for Jira (A4J) app (including Server Lite edition) |
|
Assets Discovery (Jira Service Management Cloud) |
|
Assets Discovery (Jira Service Management Data Center and Server) |
|
Atlassian Companion App for MacOS |
|
What should I do? - On-Premise Products
Localtab | ||||||
---|---|---|---|---|---|---|
| ||||||
You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions. UpdateUpdate to a version listed in Fixed Versions.
WorkaroundThere are currently no workarounds. |
Localtab | ||||
---|---|---|---|---|
| ||||
You use Assets Discovery (standalone app) in Jira Service Management Cloud
If you don't use Assets Discovery (standalone app) you are not affected by the vulnerability. |
Localtab | ||||
---|---|---|---|---|
| ||||
You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo. UpdateLTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible. bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update. WorkaroundThere are currently no workarounds. |
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.
Dear customer,
On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for it's on-premise software products, Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise.
What you need to know
Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.
Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products
Product
Affected Versions
Confluence Data Center and Server
6.13.x
6.14.x
6.15.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.5.x
7.6.x
7.7.x
7.8.x
7.9.x
7.10.x
7.11.x
7.12.x
7.13.0
7.13.1
7.13.2
7.13.3
7.13.4
7.13.5
7.13.6
7.13.7
7.13.8
7.13.9
7.13.10
7.13.11
7.13.12
7.13.13
7.13.14
7.13.15
7.13.16
7.13.17
7.14.x
7.15.x
7.16.x
7.17.x
7.18.x
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.19.8
7.19.9
7.20.x
8.0.x
8.1.x
8.2.x
8.3.0
Jira Software Data Center and Server
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1
Jira Service Management Data Center and Server
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.x
5.6.x
5.7.x
5.8.x
5.9.x
5.10.x
5.11.0
5.11.1
Jira Core Data Center and Server
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1
Bitbucket Data Center and Server
7.17.x
7.18.x
7.19.x
7.20.x
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.21.8
7.21.9
7.21.10
7.21.11
7.21.12
7.21.13
7.21.14
7.21.15
8.0.x
8.1.x
8.2.x
8.3.x
8.4.x
8.5.x
8.6.x
8.7.x
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.10.0
8.10.1
8.10.2
8.10.3
8.11.0
8.11.1
8.11.2
8.12.0
Confluence Cloud Migration App (CCMA)
Plugin versions lower than 3.4.0.
Automation for Jira (A4J) app (including Server Lite edition)
9.0.1
9.0.0
<= 8.2.2
Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server
Product
Affected Versions
Confluence Data Center and Server
4.0.0
7.20.0
8.0.0
8.6.0
| |
Confluence Data Center |
|
Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)
Product | Affected Versions |
---|---|
Assets Discovery (Jira Service Management Cloud) |
|
Assets Discovery (Jira Service Management Data Center and Server) |
|
Affected versions
Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)
Product
Affected Versions
Assets Discovery (Jira Service Management Cloud)
Insight Discovery 1.0 - 3.1.3
Assets Discovery 3.1.4 - 3.1.7
Assets Discovery 3.1.8-cloud - 3.1.11-cloud
Assets Discovery (Jira Service Management Data Center and Server)
Insight Discovery 1.0 - 3.1.7
Assets Discovery 3.1.9 - 3.1.11
Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8
Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
Product
Affected Versions
Atlassian Companion App for MacOS
All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.
Fixed Versions
Note |
---|
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket. |
Product | Fixed Versions |
---|---|
Confluence Data Center and Server |
|
Jira Software Data Center and Server |
|
Jira Service Management Data Center and Server |
|
Jira Core Data Center and Server |
|
Bitbucket Data Center and Server |
|
Confluence Cloud Migration App (CCMA) |
|
Automation for Jira (A4J) app (including Server Lite edition) |
|
Assets Discovery (Jira Service Management Cloud) |
|
Assets Discovery (Jira Service Management Data Center and Server) |
|
Atlassian Companion App for MacOS |
|
What should I do? - On-Premise Products
Localtab | ||||||
---|---|---|---|---|---|---|
| ||||||
You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions. UpdateUpdate to a version listed in Fixed Versions.
WorkaroundThere are currently no workarounds. |
Localtab | ||||
---|---|---|---|---|
| ||||
You use Assets Discovery (standalone app) in Jira Service Management Cloud
If you don't use Assets Discovery (standalone app) you are not affected by the vulnerability. |
Localtab | ||||
---|---|---|---|---|
| ||||
You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo. UpdateLTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible. bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update. WorkaroundThere are currently no workarounds. |
Support
Wenn Sie noch Fragen oder Bedenken zu diesem Advisory haben, wenden Sie sich bitte an den bitvoodoo Support via support@bitvoodoo.ch oder support.bitvoodoo.ch.
Chère cliente, cher client,
Le 6 décembre 2023, 6:00AM, Atlassian a publié 4 avis de sécurités pour ses produits on-premise, ainsi que Confluence Cloud Migration App, et Assets Discovery (stand-alone app) pour Cloud et on-premise.
Ce qu'il faut savoir
Atlassian a découvert quatre vulnérabilités critiques affectant les clients des produits répertoriés ci-dessous. Les quatre vulnérabilités ont un score CVSS critique de 9,0 ou plus, et les clients doivent prendre des mesures immédiates pour protéger leurs instances.
Versions concernées CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products
Produit
Versions concernées
Confluence Data Center et Serveur
6.13.x
6.14.x
6.15.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.5.x
7.6.x
7.7.x
7.8.x
7.9.x
7.10.x
7.11.x
7.12.x
7.13.0
7.13.1
7.13.2
7.13.3
7.13.4
7.13.5
7.13.6
7.13.7
7.13.8
7.13.9
7.13.10
7.13.11
7.13.12
7.13.13
7.13.14
7.13.15
7.13.16
7.13.17
7.14.x
7.15.x
7.16.x
7.17.x
7.18.x
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.19.8
7.19.9
7.20.x
8.0.x
8.1.x
8.2.x
8.3.0
Jira Software Data Center et Serveur
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1
Jira Service Management Data Center et Serveur
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.x
5.6.x
5.7.x
5.8.x
5.9.x
5.10.x
5.11.0
5.11.1
Jira Core Data Center et Serveur
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1
Bitbucket Data Center et Serveur
7.17.x
7.18.x
7.19.x
7.20.x
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.21.8
7.21.9
7.21.10
7.21.11
7.21.12
7.21.13
7.21.14
7.21.15
8.0.x
8.1.x
8.2.x
8.3.x
8.4.x
8.5.x
8.6.x
8.7.x
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.10.0
8.10.1
8.10.2
8.10.3
8.11.0
8.11.1
8.11.2
8.12.0
Confluence Cloud Migration App (CCMA)
Versions du plugin inférieures à 3.4.0.
Automation for Jira (A4J) app (y compris l'édition Server Lite)
9.0.1
9.0.0
<= 8.2.2
Versions concernées CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server
Produit
Versions concernées
Confluence Data Center et Serveur
4.0.0
7.20.0
8.0.0
8.6.0
Versions concernées CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)
Produit
Versions concernées
Assets Discovery (Jira Service Management Cloud)
Insight Discovery 1.0 - 3.1.3
Assets Discovery 3.1.4 - 3.1.7
Assets Discovery 3.1.8-cloud - 3.1.11-cloud
Assets Discovery (Jira Service Management Data Center et Serveur)
Insight Discovery 1.0 - 3.1.7
Assets Discovery 3.1.9 - 3.1.11
Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8
Versions concernées CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
Product | Affected Versions |
---|---|
Atlassian Companion App for MacOS | |
All versions (MacOS) | |
up to but not including 2.0.0 | |
are affected by the vulnerability. |
Fixed Versions
corrigéesNote |
---|
bitvoodoo recommande d'utiliser les dernières versions LTS de recommends using the latest LTS releases of Jira, Confluence et , and Bitbucket. |
Product | Fixed Versions |
---|---|
Confluence Data Center | |
and Server |
|
Jira Software Data Center | |
and Server |
|
Jira Service Management Data Center | |
and Server |
|
| |
Jira Core Data Center | |
and Server |
|
Bitbucket Data Center | |
and Server |
|
| |
| |
| |
| |
Confluence Cloud Migration App (CCMA) |
|
Automation for Jira (A4J) app ( | |
including Server Lite edition) |
|
Assets Discovery (Jira Service Management Cloud) |
|
| |
Assets Discovery (Jira Service Management Data Center | |
and Server) |
|
| |
Atlassian Companion App for MacOS |
|
|
What should I do? -
ProduitsOn-Premise Products
Localtab Group | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Support
|
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via Si vous avez des questions concernant cette faille de sécurité, veuillez contact le support de bitvoodoo via support@bitvoodoo.ch ou support.bitvoodoo.ch.