CVE-2023-22523, CVE-2022-1471, CVE-2023-22524, and CVE-2023-22522: Four Critical RCE Vulnerabilities Impacting Multiple Atlassian Products

Share :

On Tuesday, December 5, 2023, Atlassian published fixes for four critical-severity remote code execution (RCE) vulnerabilities impacting a variety of Atlassian products, including Atlassian Confluence Server and Data Center. The vulnerabilities were discovered by Atlassian as part of a security review and have not been actively exploited by threat actors. Additionally, we have not observed a public proof of concept (PoC) exploit published for any of the vulnerabilities.  

Threat actors have historically targeted Atlassian vulnerabilities in products impacted by the four vulnerabilities described below to achieve actions on objectives, including data exfiltration and the deployment of ransomware. In November 2023, two recent critical vulnerabilities in Atlassian Confluence Data Center and Server (CVE-2023-22515 and CVE-2023-22518) were targeted by threat actors for exploitation. Based on these precedents, we assess that threat actors are also likely to attempt exploitation in the near term of one or more of the new vulnerabilities described in this bulletin.  

Vulnerabilities 

CVE-2023-22523  CVSS: 9.8 – Critical  No Active Exploitation Observed 
Remote Code Execution – A remote threat actor can target the area between the Assets Discovery application and Assets Discovery agent to perform privileged RCE on machines where the Assets Discovery agent is installed. 

 

CVE-2022-1471  CVSS: 9.8 – Critical  No Active Exploitation Observed 
Remote Code Execution – A remote threat actor can exploit a deserialization flaw in the SnakeYAML library for Java (used by multiple Atlassian products) which can lead to RCE. 

 

CVE-2023-22524  CVSS: 9.6 – Critical  No Active Exploitation Observed 
Remote Code Execution – A remote threat actor can bypass Atlassian Companion’s blocklist and MacOS Gatekeeper by leveraging WebSockets. 

Note: This vulnerability only affects the Atlassian Companion App for MacOS. 

CVE-2023-22522  CVSS: 9.0 – Critical  No Active Exploitation Observed 
Remote Code Execution – An anonymous authenticated threat actor can inject specifically crafted user input into a Confluence page. 

Note: Atlassian cloud sites (sites accessed via an atlassian.net domain) are not affected by this vulnerability. 

Recommendations CVE-2023-22523, CVE-2022-1471, CVE-2023-22524, and CVE-2023-22522

Apply the Available Security Patches to Applicable Products

Atlassian released security patches for all impacted products. We recommend applying the latest relevant security patches to impacted products to mitigate the vulnerabilities and prevent potential exploitation.  

Affected and Fixed Products/Versions

Product  Affected Version(s)  Fixed Version(s)  Vulnerability 
Atlassian Companion App (MacOS)  All versions < 2.0.0 
  • 2.0.0 or later 
CVE-2023-22524 
Jira Service Management Cloud (Assets Discovery Component) 
  • Insight Discovery 1.0 – 3.1.3 
  • Assets Discovery 3.1.4 – 3.1.7 
  • Assets Discovery 3.1.8-cloud – 3.1.11-cloud 
  • Assets Discovery 3.2.0-cloud or later 
CVE-2023-22523 
Jira Service Management Data Center and Server (Assets Discovery Component) 
  • Insight Discovery 1.0 – 3.1.7 
  • Assets Discovery 3.1.9 – 3.1.11 
  • Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8 
  • Assets Discovery 6.2.0 or later 
CVE-2023-22523 
Confluence Data Center and Server 
  • All versions including and after 4.0.0 
  • 7.19.17 (LTS) 
  • 8.4.5 
  • 8.5.4 (LTS) 
  • 8.6.2 or later (Data Center Only) 
  • 8.7.1 or later (Data Center Only) 
CVE-2023-22522, CVE-2022-1471 
Automation for Jira (A4J) – Marketplace App & Server Lite Marketplace App 
  • 9.0.1 
  • 9.0.0 
  • <= 8.2.2 
  • 9.0.2 
  • 8.2.4 
CVE-2022-1471 
Bitbucket Data Center and Server 
  • Several versions between 7.17.x – 8.12.0 
  • 7.21.16 (LTS) 
  • 8.8.7 
  • 8.9.4 (LTS) 
  • 8.10.4  
  • 8.11.3  
  • 8.12.1  
  • 8.13.0 
  • 8.14.0 
  • 8.15.0 (Data Center Only) 
  • 8.16.0 (Data Center Only) 
CVE-2022-1471 
Confluence Cloud Migration App (CCMA) 
  • Plugin versions lower than 3.4.0. 
  • 3.4.0 
CVE-2022-1471 
Jira Core/Software Data Center and Server 
  • Several versions between 9.4.0 – 9.11.1 
  • 9.11.2 
  • 9.12.0 (LTS) 
  • 9.4.14 (LTS) 
CVE-2022-1471 
Jira Service Management Data Center and Server 
  • Several versions between 5.4.0 – 5.11.1 
  • 5.11.2  
  • 5.12.0 (LTS) 
  • 5.4.14 (LTS) 
CVE-2022-1471 

Please follow your organizations patching and testing guidelines to avoid operational impact. 

Workarounds

If your organization is not able to apply the relevant security patches, we recommend following Atlassian’s provided workarounds until able to do so.  

Affected Product  Mitigation 
Confluence Data Center and Sever  Back up instance and remove it from the internet until you are able to patch. 
Atlassian Companion App (MacOS)  Uninstall the Atlassian Companion App. 
Jira Service Management Cloud

Jira Service Management Data Center and Server 

Uninstall agents. If that is not possible, users may block the port used for communication with agents (the default port is 51337). 

Note: This temporary mitigation is not a replacement for uninstalling the agents. 

Automation for Jira (A4J) – Marketplace App & Server Lite Marketplace App

Bitbucket Data Center and Server

Jira Core/Software Data Center and Server

Jira Service Management Data Center and Server 

Upgrade to a fixed version via the Universal Plugin Manager (UPM). 

References

  1. Atlassian Article  
  2. CVE-2022-1471
  3. CVE-2023-22522
  4. CVE-2023-22523
  5. CVE-2023-22524 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter