Atlassian RCE Bugs Plague Confluence, Bamboo
The security vulnerabilities allow full takeover of Atlassian instances, so admins should patch now.
Three just-disclosed remote code execution (RCE) security vulnerabilities open up Atlassian Confluence Data Center & Server, and Bamboo, to system takeover, the software company is warning.
Confluence is a popular Web-based corporate wiki used for collaboration in cloud and hybrid server environments that allows one-click connections to a variety of different databases. More than 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.
Bamboo, meanwhile, is a continuous integration (CI) and continuous delivery (CD) server for software development that provides automated building and testing of software source-code status.
Successful exploitation of any of the flaws could offer a wide-open door into users' cloud infrastructure, software supply chain, and more. While threat actors need to be authenticated to be successful, no user interaction is required to exploit the bugs.
In Confluence, the vulnerabilities are tracked as CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0). Both were patched in Confluence versions 8.3.2 and 8.4.0.
"This injection and RCE vulnerability allow an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability,” Atlassian noted in its security advisory on Confluence.
Meanwhile, the high-severity issue in the Bamboo Data Center (CVE-2023-22506, CVSS 7.5) was patched in versions 9.2.3 and 9.3.1.
"[An attacker can] modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability," according to Atlassian.
Given the sensitive nature of Atlassian within corporate networks, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging that users apply the patches to their Atlassian instances as soon as possible.
About the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024