Atlassian releases security updates to address high-severity bugs
Company advises users to upgrade their instances to the latest available version
Australian software firm Atlassian has released security updates to address four high-severity vulnerabilities in its Bamboo, Bitbucket, Confluence, and Jira products, which could be exploited by threat actors to achieve denial-of-service (DoS) and remote code execution (RCE) attacks
Atlassian said the four vulnerabilities were addressed in the latest versions released last month.
The most severe of the four vulnerabilities is CVE-2023-22513, a RCE flaw within Bitbucket Data Center and Server, with a CVSS score of 8.5.
This flaw enables an authenticated attacker to execute arbitrary code with significant implications for confidentiality, integrity, and availability. Moreover, it doesn't necessitate any user interaction.
The issue was introduced in Bitbucket version 8.0.0 and affects a majority of releases up to version 8.14.0. To mitigate this vulnerability, users should upgrade to Bitbucket versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or newer.
Versions prior to 8.0.0, such as the 7.x series, are not affected by this vulnerability.
The second vulnerability, CVE-2023-22512, with a CVSS score of 7.5, is categorised as a denial-of-service (DoS) issue in the Confluence Data Center and Server products.
According to Atlassian, this vulnerability enables an unauthenticated attacker to disrupt the services of a vulnerable host (Confluence instance) connected to a network, causing a resource to become unavailable temporarily or indefinitely for its intended users.
The flaw was introduced in Confluence version 5.6 and affects product releases up to and including 8.5.0. To address the issue, Atlassian has released fixes in Confluence versions 7.19.14 and 8.5.1.
CVE-2022-25647, with a CVSS score of 7.5, is a third-party dependency flaw that was introduced in version 4.20.0 of Jira Service Management Data Center and Server.
This particular bug could potentially allow an unauthenticated attacker to expose assets within a user's environment that could then be exploited.
Atlassian has addressed the issue by releasing versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, and 5.11.0.
The fourth bug, CVE-2023-28709, which has a CVSS score of 7.5, pertains to a denial-of-service (DoS) issue within the Apache Tomcat server that affects Bamboo Data Center and Server.
This flaw potentially enables an attacker to expose assets within a user's environment that could be susceptible to exploitation.
The vulnerability was introduced in Bamboo Data Center and Server version 8.1.12 and has been resolved in versions 9.2.4, 9.3.1, or later.
To address these vulnerabilities, Atlassian advises users to upgrade their instances to the latest available version.
If, for any reason, upgrading to the latest version is not possible, users are strongly encouraged to upgrade to the minimum fix version provided by Atlassian to ensure the security of their systems.