January 16, 2024 at 01:12PM
Critical vulnerabilities in Atlassian and VMware products have been revealed. Atlassian’s Confluence Data Center and Server have a flaw allowing remote code execution, and Jira Software Data Center and Server are susceptible to XML external entity attacks. VMware’s Aria Automation faces a missing access control issue, all requiring immediate patching to prevent exploitation.
After reviewing the meeting notes, here are the critical takeaways:
1. Atlassian has disclosed two critical vulnerabilities:
– CVE-2023-22527: A template injection flaw affecting Confluence Data Center and Server 8 versions released before December 5, 2023, with a perfect CVSS rating of 10 out of 10. The solution is to immediately patch affected installations by updating to the latest available version.
– CVE-2020-25649: A high-severity flaw found in FasterXML Jackson Databind code used in Jira Software Data Center and Server versions 8.20.0, 9.4.0, 9.5.0, and 9.6.0. Atlassian advises upgrading to the latest version of Jira Software Data Center and Server.
2. VMware has disclosed a critical vulnerability:
– CVE-2023-34063: A missing access control problem in all versions of Aria Automation earlier than 8.16. Plan to upgrade to VMware Aria Automation 8.16 and apply the patch. It’s important to note that the only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version.
Admins are strongly advised to take immediate action to patch the vulnerabilities in order to avoid potential exploitation by malicious actors.