Atlassian Jira, Confluence, Bitbucket and macOS Companion app users are warned to update their software immediately due to four critical vulnerabilities allowing for remote code execution (RCE).
The Atlassian vulnerabilities disclosed last week are “more likely than not” to be targeted in exploitation campaigns, according to an Australian Cyber Security Centre alert, based on previous exploitation of Jira and Confluence bugs. Atlassian, an Australian software company, has more than 260,000 customers in more than 190 countries, including two-thirds of Fortune 500 companies.
One of the most severe bugs, rated by Atlassian as a 9.8 using the CVSS scale, requires Jira customers to uninstall Assets Discovery agent software from all devices before installing a patch to the main Assets Discovery application.
Another vulnerability, also rated 9.8, dates back to 2022 and is now known to impact a dozen Atlassian products including multiple Jira, Confluence and Bitbucket offerings.
Critical Atlassian vulnerabilities pose malware risks
Security flaws affecting Jira, Confluence, Bitbucket and the Atlassian Companion app for macOS could be used by attackers to remotely execute malicious code. Atlassian has released patches for all of these vulnerabilities, emphasizing the software updates are the only effective fix.
Ransomware exploitation of a previous Confluence bug, tracked as CVE-2023-22518, was reported last month. Threat actors were detected injecting Cerber ransomware after using CVE-2023-22518 to bypass authentication and gain administrator access to Confluence sites.
“The recent advisories have CVSS ratings ranging from 9.0 to 9.8, which makes these bugs Critical in severity. All could allow a remote attacker to execute arbitrary code on affect systems — similar to what we saw in November,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, which has tracked exploitation of CVE-2023-22518.
One of the newly reported vulnerabilities, tracked as CVE-2023-22522, enables authenticated users to add code to a Confluence template, which is executed upon loading a Confluence page with that template. Atlassian said users with anonymous access can also edit templates, which could help attackers evade detection.
“CVE-2023-22522 exploitation requires an authenticated attacker, meaning a user account, but [also] some customers, have anonymous access enabled, which will allow the exploit assuming it’s internet-facing,” an Atlassian spokesperson told SC Media.
The other three vulnerabilities could be exploited by unauthenticated attackers, the spokesperson said.
Another vulnerability impacts Jira customers that use the Assets Discovery application. The app allows users to detect and collect information on hardware and software connected to a local network and import that information into Jira Service Management tools.
Atlassian said an RCE vulnerability, tracked as CVE-2023-22523, exists between Assets Discovery and Assets Discovery agents — software that allows offline devices to be detected by the Assets Discovery app.
All devices with an Asset Discovery agent installed need to have it manually uninstalled prior to the Asset Discovery app being updated for the vulnerability to be effectively patched, according to Atlassian. This poses a challenge for organizations with many remote devices that have Asset Discovery agents installed. Atlassian recommends blocking the port used to communicate with the agents (51337 by default) as a temporary mitigation if all agents can not be immediately uninstalled.
Users of the Atlassian Companion app for Mac computers are also warned to update due to a flaw in which the WebSockets protocol can be used to bypass MacOS Gatekeeper and Atlassian Companion’s blocklist to execute code on Confluence pages. The bug, tracked as CVE-2023-22524, only affects macOS users — the Windows companion app is not affected.
Java library bug rears its head 1 year later
The Atlassian advisory also discloses that an RCE vulnerability discovered in December 2022 impacts 12 products across the Jira, Confluence and Bitbucket brands. The flaw, tracked as CVE-2022-1471, exists in SnakeYAML, a YAML parsing library for Java that is used in the affected products. Vulnerable versions of SnakeYAML could execute malicious code while deserializing YAML content.
Atlassian said updating the SnakeYAML library is not sufficient, and the affected products must be updated to their latest versions to remediate the issue. A full list of affected products is provided in Atlassian’s advisory.
CVE-2022-1471 was previously found to pose a major risk to AI infrastructure servers when paired with another vulnerability found in TorchServe software in October. On its own, however, the bug is “moderately difficult to weaponize,” Rapid7 Security Research Manager Spencer McIntyre wrote.
The company wrote in an FAQ that the vulnerabilities were discovered as part of “an ongoing security review” it is conducting.
“As part of our commitment to continuous improvement, Atlassian recently enhanced its existing capabilities around third-party dependent security issues,” an Atlassian spokesperson told SC Media.
In addition to the discovery and exploitation of CVE-2023-22518 in November, Atlassian patched two other high-severity vulnerabilities affecting Jira, Confluence, Bitbucket and Bamboo in September.