Tilkynnt var um nokkra alvarlega veikleika í Confluence Data Center, Confluence Server, Assets Discovery for Jira Service Management, Atlassian Companion app hjá Atlassian. Ef veikleikarnir eru misnotaðir gæti það leitt til fjarkeyrslu kóða (e. remote code execution) [1,2]. CERT-IS mælir með að uppfært sé eins fljótt og auðið er í útgáfu þar sem veikleikinn hefur verið lagfærður.
Alvarlegir veikleikar (e. critical)
CVE-2022-1471
Veikleikinn CVE-2022-1471 með CVSSv3 skor uppá 9.8 er þáttunarveikleiki (e. deserialization vulnerability) í SnakeYAML forritasafninu sem getur leitt til fjarkeyrslu kóða í eftirfarandi vörum: Automation for Jira app (including Server Lite edition), Bitbucket Data Center, Bitbucket Server, Confluence Data Center, Confluence Server, Confluence Cloud Migration App, Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server, Jira Software Data Center, Jira Software Server.
CVE-2023-22522
Veikleikinn CVE-2023-22522 með CVSSv3 skor uppá 9.0 getur leitt til fjarkeyrslu kóða í Confluence Data Center og Confluence Server.
CVE-2023-22523
Veikleikinn CVE-2023-22523 með CVSSv3 skor uppá 9.8 getur leitt til fjarkeyrslu kóða í Assets Discovery fyrir Jira Service Management Cloud, Server, og Data Center.
CVE-2023-22524
Veikleikinn CVE-2023-22524 með CVSSv3 skor uppá 9.6 getur leitt til fjarkeyrslu kóða í Atlassian Companion app fyrir macOS.
Eftirfarandi kerfi eru veik fyrir göllunum:
- Confluence Data Center: 8.6.0, 8.6.1
- Confluence Data Center and Server: 4.x.x, 5.x.x, 6.x.x, 7.x.x, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.5.0, 8.5.1, 8.5.2, 8.5.3
- Assets Discovery for Jira Service Management Cloud: Insight Discovery 1.0 – 3.1.3, Assets Discovery 3.1.4 – 3.1.7, Assets Discovery 3.1.8-cloud – 3.1.11-cloud
- Assets Discovery for Jira Service Management Data Center and Server: Insight Discovery 1.0 – 3.1.7, Assets Discovery 3.1.9 – 3.1.11, Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8
- Atlassian Companion app fyrir macOS: < 2.0.0
- Automation for Jira (A4J) Marketplace App: 9.0.1, 9.0.0, <= 8.2.2
- Bitbucket Data Center and Server: 7.17.x, 7.18.x, 7.19.x, 7.20.x, 7.21.0 – 7.21.15, 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.0 – 8.8.6, 8.9.0 – 8.9.3, 8.10.0 – 8.10.3, 8.11.0 – 8.11.2, 8.12.0
- Jira Core/Software Data Center and Server: 9.4.0 – 9.4.12, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.x, 9.10.x, 9.11.0, 9.11.1
- Jira Service Management Data Center and Server: 5.4.0 – 5.4.12, 5.5.x, 5.6.x, 5.7.x, 5.8.x, 5.9.x, 5.10.x, 5.11.0, 5.11.1
- Confluence Cloud Migration App (CCMA): < 3.4.0
Veikleikinn hefur verið lagfærður í eftirfarandi útgáfum:
- Confluence Data Center: >= 8.6.2
- Confluence Data Center and Server: 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS)
- Assets Discovery for Jira Service Management Cloud: >= Assets Discovery 3.2.0-cloud
- Assets Discovery for Jira Service Management Data Center and Server: >= Assets Discovery 6.2.0
- Atlassian Companion app fyrir macOS: >= 2.0.0
- Automation for Jira (A4J) Marketplace App: >= 9.0.2, >= 8.2.4
- Bitbucket Data Center and Server: 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.15.0 (Data Center), 8.16.0 (Data Center)
- Confluence Cloud Migration App (CCMA): >= 3.4.0
- Jira Core Data Center and Server: 9.11.2, 9.12.0 (LTS), 9.4.14 (LTS)
- Jira Software Data Center and Server: 9.11.2, 9.12.0 (LTS), 9.4.14 (LTS)
- Jira Service Management Data Center and Server: 5.11.2, 5.12.0 (LTS), 5.4.14 (LTS)
Tilvísanir:
• [1] https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html
• [2] https://thehackernews.com/2023/12/atlassian-releases-critical-software.html
