Patch Now: Critical Atlassian Bugs Endanger Enterprise Apps
Four RCE vulnerabilities in Confluence, Jira, and other platforms, allow instance takeover and environment infestation.
December 6, 2023
It's time to patch again: Four critical security vulnerabilities in Atlassian software open the door to remote code execution (RCE) and subsequent lateral movement within enterprise environments. They are just the latest bugs to surface of late in the software maker's collaboration and DevOps platforms, which tend to be a favorite target for cyberattackers.
The vulnerabilities, which Atlassian issued fixes for on Tuesday, include:
CVE-2022-1471 (CVSS vulnerability severity score of 9.8 out of 10): Deserialization in the SnakeYAML library, affecting multiple Atlassian software platforms.
CVE-2023-22522 (CVSS 9): Authenticated template injection vulnerability affecting Confluence Server and Data Center. Someone logged into the system, even anonymously, can inject unsafe user input into a Confluence page and achieve RCE, according to Atlassian.
CVE-2023-22523 (CVSS 9.8): Privileged RCE in the Assets Discovery network-scanning tool for Jira Service Management Cloud, Server, and Data Center. According to Atlassian's advisory, "The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent."
CVE-2023-22524 (CVSS 9.6): RCE in the Atlassian Companion app for macOS, which is used for file editing in Confluence Data Center and Server. "An attacker could utilize WebSockets to bypass Atlassian Companion's blocklist and MacOS Gatekeeper to allow the execution of code," the advisory read.
Atlassian Bugs Are Catnip to Cyberattackers
The latest advisories come hard on the heels of a string of bug disclosures from Atlassian, which have been tied to both zero-day and post-patch exploitation.
Atlassian software is a popular target for threat actors, especially Confluence, which is a popular Web-based corporate wiki used for collaboration in cloud and hybrid server environments. It allows one-click connections to a variety of different databases, making its utility for attackers nonpareil. More than 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.
If past is prologue, admins should patch the latest bugs immediately. In October, for instance, the software company rolled out security fixes for a max-severity RCE bug (CVSS 10) in Confluence Data Center and Server (CVE-2023-22515), which had been exploited prior to patching by a China-sponsored advanced persistent threat (APT) tracked as Storm-0062. A string of proof-of-concept exploits also quickly cropped up for it after disclosure, paving the way for mass exploitation attempts.
Quickly after, in November, another RCE bug reared its head in Confluence Data Center and Server that had been exploited as a zero-day in the wild, originally listed with a 9.1 CVSS score. However, a glut of active ransomware and other cyberattacks after patches were released prompted Atlassian to up the severity score to 10.
That same month, Atlassian revealed that the Bamboo continuous integration (CI) and continuous delivery (CD) server for software development, as well as Confluence Data Center and Server, were both vulnerable to yet another max-severity issue — this time in the Apache Software Foundation's (ASF) ActiveMQ message broker (CVE-2023-46604, CVSS 10). The bug, which was weaponized as an "n-day" bug, was also quickly furnished with PoC exploit code, allowing a remote attacker to execute arbitrary commands on affected systems. Atlassian has released fixes for both platforms.
About the Author
You May Also Like