Atlassian RCE Bugs Plague Confluence, Bamboo
The security vulnerabilities allow full takeover of Atlassian instances, so admins should patch now.
Three just-disclosed remote code execution (RCE) security vulnerabilities open up Atlassian Confluence Data Center & Server, and Bamboo, to system takeover, the software company is warning.
Confluence is a popular Web-based corporate wiki used for collaboration in cloud and hybrid server environments that allows one-click connections to a variety of different databases. More than 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.
Bamboo, meanwhile, is a continuous integration (CI) and continuous delivery (CD) server for software development that provides automated building and testing of software source-code status.
Successful exploitation of any of the flaws could offer a wide-open door into users' cloud infrastructure, software supply chain, and more. While threat actors need to be authenticated to be successful, no user interaction is required to exploit the bugs.
In Confluence, the vulnerabilities are tracked as CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0). Both were patched in Confluence versions 8.3.2 and 8.4.0.
"This injection and RCE vulnerability allow an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability,” Atlassian noted in its security advisory on Confluence.
Meanwhile, the high-severity issue in the Bamboo Data Center (CVE-2023-22506, CVSS 7.5) was patched in versions 9.2.3 and 9.3.1.
"[An attacker can] modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability," according to Atlassian.
Given the sensitive nature of Atlassian within corporate networks, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging that users apply the patches to their Atlassian instances as soon as possible.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024