bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published

Contents

Date

 

Products

Atlassian Server and Data Center

  • Confluence Data Center and Server
  • Jira Software Data Center and Server
  • Jira Service Management Data Center and Server
  • Jira Core Data Center and Server
  • Bitbucket Data Center and Server

Atlassian Server and Data Center 3rd-party Apps

  • Confluence Cloud Migration App (CCMA)
  • Automation for Jira (A4J) app (including Server Lite edition)

Atlassian Cloud

  • Jira Service Management Cloud → Assets Discovery (stand-alone app)

VulnerabilityCritical
CVE

CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523

Official link

(warning) needs to be replaced



Multiple Products Security Advisory - CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523

Dear customer,

On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for it's on-premise software products, Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise.

What you need to know

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.

Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

Product

Affected Versions

Confluence Data Center and Server

  • 6.13.x

  • 6.14.x

  • 6.15.x

  • 7.0.x

  • 7.1.x

  • 7.2.x

  • 7.3.x

  • 7.4.x

  • 7.5.x

  • 7.6.x

  • 7.7.x

  • 7.8.x

  • 7.9.x

  • 7.10.x

  • 7.11.x

  • 7.12.x

  • 7.13.0

  • 7.13.1

  • 7.13.2

  • 7.13.3

  • 7.13.4

  • 7.13.5

  • 7.13.6

  • 7.13.7

  • 7.13.8

  • 7.13.9

  • 7.13.10

  • 7.13.11

  • 7.13.12

  • 7.13.13

  • 7.13.14

  • 7.13.15

  • 7.13.16

  • 7.13.17

  • 7.14.x

  • 7.15.x

  • 7.16.x

  • 7.17.x

  • 7.18.x

  • 7.19.0

  • 7.19.1

  • 7.19.2

  • 7.19.3

  • 7.19.4

  • 7.19.5

  • 7.19.6

  • 7.19.7

  • 7.19.8

  • 7.19.9

  • 7.20.x

  • 8.0.x

  • 8.1.x

  • 8.2.x

  • 8.3.0

Jira Software Data Center and Server

  • 9.4.0

  • 9.4.1

  • 9.4.2

  • 9.4.3

  • 9.4.4

  • 9.4.5

  • 9.4.6

  • 9.4.7

  • 9.4.8

  • 9.4.9

  • 9.4.10

  • 9.4.11

  • 9.4.12

  • 9.5.x

  • 9.6.x

  • 9.7.x

  • 9.8.x

  • 9.9.x

  • 9.10.x

  • 9.11.0

  • 9.11.1

Jira Service Management Data Center and Server

  • 5.4.0

  • 5.4.1

  • 5.4.2

  • 5.4.3

  • 5.4.4

  • 5.4.5

  • 5.4.6

  • 5.4.7

  • 5.4.8

  • 5.4.9

  • 5.4.10

  • 5.4.11

  • 5.4.12

  • 5.5.x

  • 5.6.x

  • 5.7.x

  • 5.8.x

  • 5.9.x

  • 5.10.x

  • 5.11.0

  • 5.11.1

Jira Core Data Center and Server

  • 9.4.0

  • 9.4.1

  • 9.4.2

  • 9.4.3

  • 9.4.4

  • 9.4.5

  • 9.4.6

  • 9.4.7

  • 9.4.8

  • 9.4.9

  • 9.4.10

  • 9.4.11

  • 9.4.12

  • 9.5.x

  • 9.6.x

  • 9.7.x

  • 9.8.x

  • 9.9.x

  • 9.10.x

  • 9.11.0

  • 9.11.1

Bitbucket Data Center and Server

  • 7.17.x

  • 7.18.x

  • 7.19.x

  • 7.20.x

  • 7.21.0

  • 7.21.1

  • 7.21.2

  • 7.21.3

  • 7.21.4

  • 7.21.5

  • 7.21.6

  • 7.21.7

  • 7.21.8

  • 7.21.9

  • 7.21.10

  • 7.21.11

  • 7.21.12

  • 7.21.13

  • 7.21.14

  • 7.21.15

  • 8.0.x

  • 8.1.x

  • 8.2.x

  • 8.3.x

  • 8.4.x

  • 8.5.x

  • 8.6.x

  • 8.7.x

  • 8.8.0

  • 8.8.1

  • 8.8.2

  • 8.8.3

  • 8.8.4

  • 8.8.5

  • 8.8.6

  • 8.9.0

  • 8.9.1

  • 8.9.2

  • 8.9.3

  • 8.10.0

  • 8.10.1

  • 8.10.2

  • 8.10.3

  • 8.11.0

  • 8.11.1

  • 8.11.2

  • 8.12.0

Confluence Cloud Migration App (CCMA)

Automation for Jira (A4J) app (including Server Lite edition)

  • 9.0.1

  • 9.0.0

  • <= 8.2.2

Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Product

Affected Versions

Confluence Data Center and Server

  • 4.0.0

  • 7.20.0

  • 8.0.0

  • 8.6.0

Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Product

Affected Versions

Assets Discovery (Jira Service Management Cloud)

  • Insight Discovery 1.0 - 3.1.3

  • Assets Discovery 3.1.4 - 3.1.7

  • Assets Discovery 3.1.8-cloud - 3.1.11-cloud

Assets Discovery (Jira Service Management Data Center and Server)

  • Insight Discovery 1.0 - 3.1.7

  • Assets Discovery 3.1.9 - 3.1.11

  • Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Product

Affected Versions

Atlassian Companion App for MacOS

All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

Fixed Versions

bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.


Product

Fixed Versions

Confluence Data Center and Server

  • 7.19.17 (LTS)

  • 8.4.5

  • 8.5.4 (LTS)

  • 8.6.2

  • 8.7.0

Jira Software Data Center and Server

  • 9.11.2

  • 9.12.0 (LTS)

  • 9.4.13 (LTS)

Jira Service Management Data Center and Server

  • 5.11.2

  • 5.12.0 (LTS)

  • 5.4.13 (LTS)

Jira Core Data Center and Server

  • 9.11.2

  • 9.12.0 (LTS)

  • 9.4.13 (LTS)

Bitbucket Data Center and Server

  • 7.21.16 (LTS)

  • 8.10.4

  • 8.11.3

  • 8.12.1

  • 8.13.0

  • 8.8.7

  • 8.9.4 (LTS)

Confluence Cloud Migration App (CCMA)

  • 3.4.0

Automation for Jira (A4J) app (including Server Lite edition)

  • 9.0.2

  • 8.2.4


What should I do? - On-Premise Products

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.

Workaround

There are currently no workarounds.

You use Jira, Confluence or Bitbucket Cloud.

You are not affected by this Security Advisory.

No need for action.

You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.

Update

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.

Workaround

There are currently no workarounds.




What should I do? - Questions For Confluence App

You use the app Questions for Confluence in Confluence Server or Data Center.

Determine If You Are Affected

Determine if you are affected by searching for the disabledsystemuser user account. If this account does not show up in the list of active users, the Confluence instance is not affected.

Update the App

Update the Questions for Confluence app to a fixed version:

  • 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)

  • Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

Workaround

Search for the disabledsystemuser user account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to:

You use Confluence Cloud.

You are not affected by this Security Advisory.

No need for action.

You use the app Questions for Confluence in Confluence Server or Data Center hosted with bitvoodoo.

bitvoodoo already updated Questions for Confluence in all Confluence installation hosted with bitvoodoo.

No need for action.

Further Reading

  • CVE-2022-26136
  • CVE-2022-26137
  • CVE-2022-26138
  • Multiple Products Security Advisory - 2022-07-20

  • Questions For Confluence App Security Advisory - 2022-07-20

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

  • No labels
bitvoodoo Advisories BVADVIS