CVE-2023-22522, 2023-22524, 2023-22523, 2022-1471 - Atlassian Releases Security Advisories for Multiple Products

by Critical Insight on December 8, 2023

This advisory is for organizations that use any of the below Atlassian products. If your organization does not use Atlassian products, this notification may be discarded.

Confluence Data Center and Confluence Sever
Atlassian companion App for MacOS
Assets Discovery
SnakeYAML library

Summary

Atlassian has released Security Advisories and made patches available to address the RCE (Remote Code Execution) vulnerabilities noted in the below platforms.

CVE-2023-22522 – RCE Vulnerability In Confluence Data Center and Confluence Server

CVSSv3: 9.0

May allow an authenticated attacker (including anonymous access) to inject unsafe user input into a Confluence page which could result in RCE of the affected instance.

Affects all versions, including and after 4.0.0 of Confluence Data Center and Server.

Patches to address the vulnerability

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS)
	8.4.5
	8.5.4 (LTS)
Confluence Data Center	8.6.2 or later (Data Center Only)
	8.7.1 or later (Data Center Only)

CVE-2023-22523 - RCE Vulnerability in Assets Discovery

CSVVv3: 9.8

May allow an attacker to perform privileged RCE on machines with Assets Discovery agent installed.

Patches to address the vulnerability

Product	Component	Fixed Versions
Jira Service Management Cloud	Assets Discovery	Assets Discovery 3.2.0-cloud or later
Jira Service Management Data Center and Server	Assets Discovery	Assets Discovery 6.2.0 or later

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

CVSSV3: 9.6

May allow an attacker to utilize WebSockets to bypass Atlassian Companion’s block list and MacOS Gatekeeper to allow RCE

Patches to address the vulnerability

Product	Fixed Versions
Atlassian Companion App for MacOS	2.0.0 or later

CVE-2022-1471 – SnakeYAML library RCE Vulnerability impacts Multiple Products

CVSSv3: 9.8

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java. SnakeYAML is susceptible to a deserialization flaw that can lead to RCE.

Product	Action
Automation for Jira (A4J) Marketplace App	Patch to the following fixed versions or later
	9.0.2
	8.2.4
	Mitigations
	Upgrade via the Universal Plugin Manager (UPM).
Bitbucket Data Center & Server	Patch to the following fixed versions or later
	7.21.16 (LTS)
	8.8.7
	8.9.4 (LTS)
	8.10.4
	8.11.3
	8.12.1
	8.13.0
	8.14.0
	8.15.0 (Data Center Only)
	8.16.0 (Data Center Only)
Confluence Data Center & Server	Patch to the following fixed versions or later
	7.19.17 (LTS)
	8.4.5
	8.5.4 (LTS)
	8.6.2 (Data Center Only)
	8.7.1 (Data Center Only)
	Fixed in the following versions
	The fix is contained in 7.13.18, 7.19.10, and 8.3.1, however these versions also contain previously communicated security vulnerabilities.


Confluence Cloud Mitigation App (CCMA)	Patch to the following fixed versions or later
Confluence Cloud Mitigation App (CCMA)	3.4.0
Jira Core Data Center & Server Jira Software Data Center & Server	Patch to the following fixed versions or later
	9.11.2
	9.12.0 (LTS)
	9.4.14 (LTS)
	Mitigations
	If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).



Jira Service Management Data Center & Server	Patch to the following fixed versions or later
	5.11.2
	5.12.0 (LTS)
	5.4.14 (LTS)
	Upgrading Jira to a fixed version is also required
	Mitigations
	If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).