December 6, 2023 at 06:00PM
Atlassian has patched four critical vulnerabilities (CVE-2022-1471, CVE-2023-22522, CVE-2023-22523, CVE-2023-22524) with CVSS scores up to 9.8, affecting various platforms with risks of remote code execution (RCE). These follow a series of bugs in their widely-used collaboration tools, with prior exploits prompting urgent updates.
Meeting Takeaways:
1. Atlassian has encountered four critical security vulnerabilities across its software platforms, with potential for remote code execution and lateral movement in enterprise environments.
2. The vulnerabilities and their details are:
– CVE-2022-1471: A deserialization issue in SnakeYAML library affecting multiple Atlassian platforms; rated 9.8/10 on the CVSS scale.
– CVE-2023-22522: An injection vulnerability in Confluence Server and Data Center allowing RCE with even minimal authenticated access; rated 9/10 on the CVSS scale.
– CVE-2023-22523: A privileged RCE in the Assets Discovery tool for Jira Service Management; rated 9.8/10 on the CVSS scale.
– CVE-2023-22524: An RCE in Atlassian Companion app for macOS specific to file editing in Confluence Data Center and Server; rated 9.6/10 on the CVSS scale.
3. Atlassian software, particularly Confluence, is commonly targeted by cyber attackers due to its widespread use for collaboration in a variety of organizations (e.g., LinkedIn, NASA, The New York Times).
4. There is a history of critical RCE bugs in Atlassian software, emphasizing the urgency for system admins to apply patches immediately when released.
5. Atlassian has already released patches for these vulnerabilities, further stressing the importance of promptly updating systems to mitigate risks.
6. Past exploits have included issues with Confluence, Bamboo, and ASF’s ActiveMQ, with evidence of active exploitation leading to increased severity assessments.
Action Item:
– It is recommended that admins apply the issued patches for Atlassian software without delay to safeguard against known vulnerabilities that have a track record of being exploited.