On Tuesday, December 5, 2023, Atlassian published fixes for four critical-severity remote code execution (RCE) vulnerabilities impacting a variety of Atlassian products, including Atlassian Confluence Server and Data Center. The vulnerabilities were discovered by Atlassian as part of a security review and have not been actively exploited by threat actors. Additionally, we have not observed a public proof of concept (PoC) exploit published for any of the vulnerabilities.
Threat actors have historically targeted Atlassian vulnerabilities in products impacted by the four vulnerabilities described below to achieve actions on objectives, including data exfiltration and the deployment of ransomware. In November 2023, two recent critical vulnerabilities in Atlassian Confluence Data Center and Server (CVE-2023-22515 and CVE-2023-22518) were targeted by threat actors for exploitation. Based on these precedents, we assess that threat actors are also likely to attempt exploitation in the near term of one or more of the new vulnerabilities described in this bulletin.
Vulnerabilities
CVE-2023-22523 | CVSS: 9.8 – Critical | No Active Exploitation Observed |
Remote Code Execution – A remote threat actor can target the area between the Assets Discovery application and Assets Discovery agent to perform privileged RCE on machines where the Assets Discovery agent is installed. |
CVE-2022-1471 | CVSS: 9.8 – Critical | No Active Exploitation Observed |
Remote Code Execution – A remote threat actor can exploit a deserialization flaw in the SnakeYAML library for Java (used by multiple Atlassian products) which can lead to RCE. |
CVE-2023-22524 | CVSS: 9.6 – Critical | No Active Exploitation Observed |
Remote Code Execution – A remote threat actor can bypass Atlassian Companion’s blocklist and MacOS Gatekeeper by leveraging WebSockets.
Note: This vulnerability only affects the Atlassian Companion App for MacOS. |
CVE-2023-22522 | CVSS: 9.0 – Critical | No Active Exploitation Observed |
Remote Code Execution – An anonymous authenticated threat actor can inject specifically crafted user input into a Confluence page.
Note: Atlassian cloud sites (sites accessed via an atlassian.net domain) are not affected by this vulnerability. |
Recommendations CVE-2023-22523, CVE-2022-1471, CVE-2023-22524, and CVE-2023-22522
Apply the Available Security Patches to Applicable Products
Atlassian released security patches for all impacted products. We recommend applying the latest relevant security patches to impacted products to mitigate the vulnerabilities and prevent potential exploitation.
Affected and Fixed Products/Versions
Product | Affected Version(s) | Fixed Version(s) | Vulnerability |
Atlassian Companion App (MacOS) | All versions < 2.0.0 |
|
CVE-2023-22524 |
Jira Service Management Cloud (Assets Discovery Component) |
|
|
CVE-2023-22523 |
Jira Service Management Data Center and Server (Assets Discovery Component) |
|
|
CVE-2023-22523 |
Confluence Data Center and Server |
|
|
CVE-2023-22522, CVE-2022-1471 |
Automation for Jira (A4J) – Marketplace App & Server Lite Marketplace App |
|
|
CVE-2022-1471 |
Bitbucket Data Center and Server |
|
|
CVE-2022-1471 |
Confluence Cloud Migration App (CCMA) |
|
|
CVE-2022-1471 |
Jira Core/Software Data Center and Server |
|
|
CVE-2022-1471 |
Jira Service Management Data Center and Server |
|
|
CVE-2022-1471 |
Please follow your organizations patching and testing guidelines to avoid operational impact.
Workarounds
If your organization is not able to apply the relevant security patches, we recommend following Atlassian’s provided workarounds until able to do so.
Affected Product | Mitigation |
Confluence Data Center and Sever | Back up instance and remove it from the internet until you are able to patch. |
Atlassian Companion App (MacOS) | Uninstall the Atlassian Companion App. |
Jira Service Management Cloud
Jira Service Management Data Center and Server |
Uninstall agents. If that is not possible, users may block the port used for communication with agents (the default port is 51337).
Note: This temporary mitigation is not a replacement for uninstalling the agents. |
Automation for Jira (A4J) – Marketplace App & Server Lite Marketplace App
Bitbucket Data Center and Server Jira Core/Software Data Center and Server Jira Service Management Data Center and Server |
Upgrade to a fixed version via the Universal Plugin Manager (UPM). |
References