Threat actors have historically targeted Atlassian vulnerabilities in products affected by the four vulnerabilities described below to achieve goals such as data exfiltration and ransomware deployment.
Background:
Threat actors targeted two recent major vulnerabilities in the Atlassian Confluence Data Center and Server (CVE-2023-22515 and CVE-2023-22518) for exploitation in November 2023. Based on these precedents, we believe threat actors will soon attempt to exploit one or more of the new vulnerabilities detailed in this advisory.
Atlassian has released significant security upgrades to address various vulnerabilities in its product suite. These vulnerabilities, identified as CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, and CVE-2023-22523, offer serious risks including Remote Code Execution (RCE), across multiple Atlassian Data Center and Server Products.
These vulnerabilities have received high CVSS ratings, indicating their serious nature and the urgency with which they must be patched. CVE-2022-1471 in the SnakeYAML library gets the highest CVSS score of 9.8, indicating an elevated risk level.
Vulnerability Details:
CVE-2023-22522: Confluence Data Center and Confluence Server Remote Code Execution Vulnerability
The CVSS score for this vulnerability is 9. Using the Template Injection vulnerability, an authenticated attacker, including one with anonymous access, can enter unauthorized user input into a Confluence page. An attacker who successfully exploits the vulnerability may be able to achieve remote code execution on target instances.
CVE-2023-22523: Assets Discovery Remote Code Execution Vulnerability
The CVSS score for this vulnerability is 9.8. The flaw is located between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. Assets Discovery is a network scanning tool that can be obtained from the Atlassian Marketplace and works with Jira Service Management Cloud, Data Centre, or Server. It can also be used without the assistance of an agent.
An attacker who successfully exploits the vulnerability may be able to perform privileged Remote Code Execution on instances that have the Assets Discovery agent installed.
CVE-2023-22524: Atlassian Companion App for MacOS Remote Code Execution Vulnerability
This vulnerability has a CVSS score of 9.6. An attacker could use WebSockets to bypass Atlassian Companion’s and MacOS Gatekeeper’s blocklists and run code. The Atlassian Companion App for Confluence Data Center and Server is a desktop application that enhances file editing in the Confluence Data Center and Server. It enables users to make changes to files in their preferred desktop program before saving them to Confluence instances.
CVE-2022-1471: SnakeYAML Library Remote Code Execution Vulnerability
The CVSS score for this vulnerability is 9.8. The SnakeYAML library for Java’s deserialization issue may allow an attacker to achieve remote code execution on target instances. Atlassian Data Center and Server solutions that use the SnakeYAML library include Bitbucket Server, Jira Service Management Data Center, Jira Software Data Center, and Bitbucket Server.
On GitHub, there is a Proof-of-Concept (PoC) exploit code for the SnakeYAML library’s CVE-2022-1471 vulnerability released. Reiterating that several Atlassian products use the SnakeYAML library raises the possibility of RCE in the event that CVE-2022-1471 is exploited. CISA warns users and administrators to take the appropriate precautions, noting that attackers might leverage these vulnerabilities to take over impacted systems
Affected Versions:
| Product |
Affected Version(s) |
Fixed Version(s) |
Vulnerability |
| Atlassian Companion App (MacOS) |
All versions < 2.0.0 |
2.0.0 or later |
CVE-2023-22524 |
| Jira Service Management Cloud (Assets Discovery Component) |
- Insight Discovery 1.0 – 3.1.3
- Assets Discovery 3.1.4 – 3.1.7
- Assets Discovery 3.1.8-cloud – 3.1.11-cloud
|
- Assets Discovery 3.2.0-cloud or later
|
CVE-2023-22523 |
| Jira Service Management Data Center and Server (Assets Discovery Component) |
- Insight Discovery 1.0 – 3.1.7
- Assets Discovery 3.1.9 – 3.1.11
- Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8
|
- Assets Discovery 6.2.0 or later
|
CVE-2023-22523 |
| Confluence Data Center and Server |
All versions including and after 4.0.0 |
- 7.19.17 (LTS)
- 8.4.5
- 8.5.4 (LTS)
- 8.6.2 or later (Data Center Only)
- 8.7.1 or later (Data Center Only)
|
CVE-2023-22522, CVE-2022-1471 |
| Automation for Jira (A4J) – Marketplace App & Server Lite Marketplace App |
|
|
CVE-2022-1471 |
| Bitbucket Data Center and Server |
Several versions between 7.17.x – 8.12.0 |
- 7.21.16 (LTS)
- 8.8.7
- 8.9.4 (LTS)
- 8.10.4
- 8.11.3
- 8.12.1
- 8.13.0
- 8.14.0
- 8.15.0 (Data Center Only)
- 8.16.0 (Data Center Only)
|
CVE-2022-1471 |
| Confluence Cloud Migration App (CCMA) |
Plugin versions lower than 3.4.0. |
3.4.0 |
CVE-2022-1471 |
| Jira Core/Software Data Center and Server |
Several versions between 9.4.0 – 9.11.1 |
- 9.11.2
- 9.12.0 (LTS)
- 9.4.14 (LTS)
|
CVE-2022-1471 |
| Jira Service Management Data Center and Server |
Several versions between 5.4.0 – 5.11.1 |
- 5.11.2
- 5.12.0 (LTS)
- 5.4.14 (LTS)
|
CVE-2022-1471 |
Workarounds:
In cases where it’s not feasible to promptly apply the required security patches, the following workarounds, as advised by Atlassian, should be considered until patching is possible:
Confluence Data Center and Server:
Create a backup of the instance and remove it from the internet until patching can be performed.
Atlassian Companion App (MacOS):
Uninstall the Atlassian Companion App as a precautionary measure.
Jira Service Management Cloud, Data Center, and Server:
It is recommended to uninstall agents. If uninstallation is not feasible, consider blocking the port used for communication with these agents (default port 51337). However, note that this is a temporary measure and not a substitute for agent uninstallation.
Automation for Jira (A4J)
Bitbucket Data Center and Server
Jira Core/Software Data Center and Server
Jira Service Management Data Center and Server:
Upgrade to a secure version via the Universal Plugin Manager (UPM) as an immediate measure.
These workarounds provide temporary relief but are not permanent solutions. Patching the vulnerabilities remains the recommended course of action.
Recommendations:
Atlassian has issued security updates for all affected products. To address the vulnerabilities and avoid potential exploitation, we recommend applying the most recent appropriate security patches to impacted products.
References:
https://community.atlassian.com/t5/Announcement-articles/Action-Required-RCE-Vulnerabilities-Identified-in-Multiple/ba-p/2552220
https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-impacts-multiple-products-1296171009.html
https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html
https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html
