Remote Code Execution Vulnerabilities in Multiple Atlassian Products

[Fleury, Terry]

CI Operators:

Atlassian has announced four critical remote code execution (RCE) vulnerabilities affecting multiple products, including Confluence Data Center and Server. All four vulnerabilities have CVSSv3 scores >= 9.0.

 

Impact:

• CVE-2023-1471 [2] - A deserialization vulnerability in SnakeYAML library can lead to remote code execution in multiple products
• CVE-2023-22522 [3] - RCE vulnerability in Confluence Data Center and Confluence Server after v4.0.0
• CVE-2023-22523 [4] - RCE vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center up to v6.2.0
• CVE-2023-22524 [5] - RCE vulnerability in Atlassian Companion app for macOS up to v2.0.0

 

Affected Software: 

• Confluence Data Center and Server

• The SnakeYAML library vulnerability affects multiple Atlassian products

 

Recommendation:

Update to the latest version of Data Center or Server. There are no recommended mitigations.

 

References:

[1] https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22522 

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22523 

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22524 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.