Patch Now: Critical Atlassian Bugs Endanger Enterprise Apps

Four RCE vulnerabilities in Confluence, Jira, and other platforms, allow instance takeover and environment infestation.

The atlassian logo on a mobile phone screen
Source: Igor Golovnov via Alamy Stock Photo

It's time to patch again: Four critical security vulnerabilities in Atlassian software open the door to remote code execution (RCE) and subsequent lateral movement within enterprise environments. They are just the latest bugs to surface of late in the software maker's collaboration and DevOps platforms, which tend to be a favorite target for cyberattackers.

The vulnerabilities, which Atlassian issued fixes for on Tuesday, include:

  • CVE-2022-1471 (CVSS vulnerability severity score of 9.8 out of 10): Deserialization in the SnakeYAML library, affecting multiple Atlassian software platforms.

  • CVE-2023-22522 (CVSS 9): Authenticated template injection vulnerability affecting Confluence Server and Data Center. Someone logged into the system, even anonymously, can inject unsafe user input into a Confluence page and achieve RCE, according to Atlassian.

  • CVE-2023-22523 (CVSS 9.8): Privileged RCE in the Assets Discovery network-scanning tool for Jira Service Management Cloud, Server, and Data Center. According to Atlassian's advisory, "The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent."

  • CVE-2023-22524 (CVSS 9.6): RCE in the Atlassian Companion app for macOS, which is used for file editing in Confluence Data Center and Server. "An attacker could utilize WebSockets to bypass Atlassian Companion's blocklist and MacOS Gatekeeper to allow the execution of code," the advisory read.

Atlassian Bugs Are Catnip to Cyberattackers

The latest advisories come hard on the heels of a string of bug disclosures from Atlassian, which have been tied to both zero-day and post-patch exploitation.

Atlassian software is a popular target for threat actors, especially Confluence, which is a popular Web-based corporate wiki used for collaboration in cloud and hybrid server environments. It allows one-click connections to a variety of different databases, making its utility for attackers nonpareil. More than 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.

If past is prologue, admins should patch the latest bugs immediately. In October, for instance, the software company rolled out security fixes for a max-severity RCE bug (CVSS 10) in Confluence Data Center and Server (CVE-2023-22515), which had been exploited prior to patching by a China-sponsored advanced persistent threat (APT) tracked as Storm-0062. A string of proof-of-concept exploits also quickly cropped up for it after disclosure, paving the way for mass exploitation attempts.

Quickly after, in November, another RCE bug reared its head in Confluence Data Center and Server that had been exploited as a zero-day in the wild, originally listed with a 9.1 CVSS score. However, a glut of active ransomware and other cyberattacks after patches were released prompted Atlassian to up the severity score to 10.

That same month, Atlassian revealed that the Bamboo continuous integration (CI) and continuous delivery (CD) server for software development, as well as Confluence Data Center and Server, were both vulnerable to yet another max-severity issue — this time in the Apache Software Foundation's (ASF) ActiveMQ message broker (CVE-2023-46604, CVSS 10). The bug, which was weaponized as an "n-day" bug, was also quickly furnished with PoC exploit code, allowing a remote attacker to execute arbitrary commands on affected systems. Atlassian has released fixes for both platforms.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights