Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.6945 Security Bulletin - November 21 2023 22 November 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Crowd Data Center and Server Atlassian Confluence Data Center and Server Atlassian Bitbucket Data Center and Server Atlassian Bamboo Data Center and Server Atlassian Jira Data Center and Server Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-44487 CVE-2023-42794 CVE-2023-34396 CVE-2023-22521 CVE-2023-22516 CVE-2023-2976 CVE-2022-45143 CVE-2022-42890 CVE-2022-42252 CVE-2022-42004 CVE-2022-42003 CVE-2022-41704 CVE-2022-40146 CVE-2022-28366 CVE-2022-25647 CVE-2021-46877 CVE-2021-40690 CVE-2021-37714 CVE-2021-28165 CVE-2020-36518 CVE-2017-9735 CVE-2017-7656 Original Bulletin: https://confluence.atlassian.com/security/security-bulletin-november-21-2023-1318881573.html Comment: CVSS (Max): 8.5 CVE-2023-22516 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Atlassian Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- November 2023 Security Bulletin It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first-party, critical-severity vulnerabilities via critical advisories. The high-severity vulnerabilities included in this bulletin have a lower impact from the critical advisories we have published previously. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products. The vulnerabilities reported in this security bulletin include 26 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans. Created with Sketch. Questions about the bulletin? Read more about this new format here. +-----------------------------------------------------------------------------------------------------------+ | Released Security Vulnerabilities | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | Summary |Severity|CVSS |Affected | CVE ID | More Details |Public| | | |Score|Versions | | | Date | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Info Disclosure com.google.guava:guava in | | |versions | | |Nov | |Jira Software Data Center and Server |High |7.1 |including|CVE-2023-2976 |JSWSERVER-25415 |21, | | | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |com.google.code.gson:gson in Jira Software |High |7.5 |including|CVE-2022-25647|JSWSERVER-25412 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) org.jsoup:jsoup in | | |versions | | |Nov | |Jira Software Data Center and Server |High |7.5 |including|CVE-2021-37714|JSWSERVER-25410 |21, | | | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Deserialization | | |versions | | |Nov | |com.fasterxml.jackson.core:jackson-databind|High |7.5 |including|CVE-2022-42004|JSWSERVER-25409 |21, | |in Jira Software Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |com.fasterxml.jackson.core:jackson-databind|High |7.5 |including|CVE-2022-42003|JSWSERVER-25408 |21, | |in Jira Software Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) jackson-databind in| | |versions | | |Nov | |Jira Software Data Center and Server |High |7.5 |including|CVE-2021-46877|JSWSERVER-25407 |21, | | | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |com.fasterxml.jackson.core in Jira Software|High |7.5 |including|CVE-2020-36518|JSWSERVER-25406 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |org.apache.tomcat:tomcat-catalina in Jira |High |7.5 |including|CVE-2023-42794|JSWSERVER-25400 |21, | |Software Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |io.netty:netty-codec-http2 in Jira Software|High |7.5 |including|CVE-2023-44487|JSWSERVER-25398 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Cache Poisoning | | |versions | | |Nov | |org.eclipse.jetty:jetty-server in Jira |High |7.5 |including|CVE-2017-7656 |JSWSERVER-22148 |21, | |Software Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |org.eclipse.jetty:jetty-io in Jira Software|High |7.5 |including|CVE-2021-28165|JSWSERVER-22145 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Info Disclosure | | |versions | | |Nov | |org.eclipse.jetty:jetty-util in Jira |High |7.5 |including|CVE-2017-9735 |JSWSERVER-22141 |21, | |Software Data Center and Server | | |and after| | |2023 | | | | |8.20.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Crowd Data | | |versions | | |Nov | |Center and Server |High |8 |including|CVE-2023-22521|CWD-6139 |21, | | | | |and after| | |2023 | | | | |3.4.6 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |SSRF org.apache.xmlgraphics in Confluence | | |versions | | |Nov | |Data Center and Server |High |7.5 |including|CVE-2022-41704|CONFSERVER-93179|21, | | | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |SSRF org.apache.xmlgraphics:batik-bridge in| | |versions | | |Nov | |Confluence Data Center and Server |High |7.5 |including|CVE-2022-40146|CONFSERVER-93178|21, | | | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |XSS org.apache.xmlgraphics:batik-script in | | |versions | | |Nov | |Confluence Data Center and Server |High |7.5 |including|CVE-2022-42890|CONFSERVER-93175|21, | | | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |org.apache.tomcat:tomcat-catalina | | |versions | | |Nov | |Vulnerability in Confluence Data Center and|High |7.5 |including|CVE-2022-45143|CONFSERVER-93173|21, | |Server | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |net.sourceforge.nekohtml:nekohtml in |High |7.5 |including|CVE-2022-28366|CONFSERVER-93169|21, | |Confluence Data Center and Server | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Request Smuggling | | |versions | | |Nov | |org.apache.tomcat:tomcat-coyote in |High |7.5 |including|CVE-2022-42252|CONFSERVER-93168|21, | |Confluence Data Center and Server | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |org.apache.tomcat:tomcat-catalina in |High |7.5 |including|CVE-2023-42794|CONFSERVER-93164|21, | |Confluence Data Center and Server | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |io.netty:netty-codec-http2 in Confluence |High |7.5 |including|CVE-2023-44487|CONFSERVER-93163|21, | |Data Center and Server | | |and after| | |2023 | | | | |6.13.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Third-Party Dependency in Bitbucket Data | | |versions | | |Nov | |Center and Server |High |7.5 |including|CVE-2021-40690|BSERV-18986 |21, | | | | |and after| | |2023 | | | | |7.21.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) apache-struts in | | |versions | | |Nov | |Bamboo Data Center and Server |High |7.5 |including|CVE-2023-34396|BAM-25501 |21, | | | | |and after| | |2023 | | | | |8.1.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |org.apache.tomcat:tomcat-catalina in Bamboo|High |7.5 |including|CVE-2023-42794|BAM-25470 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.1.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Nov | |org.apache.tomcat:tomcat-coyote in Bamboo |High |7.5 |including|CVE-2023-44487|BAM-25469 |21, | |Data Center and Server | | |and after| | |2023 | | | | |8.1.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Bamboo Data | | |versions | | |Nov | |Center and Server |High |8.5 |including|CVE-2023-22516|BAM-25168 |21, | | | | |and after| | |2023 | | | | |8.1.0 | | | | +-------------------------------------------+--------+-----+---------+--------------+----------------+------+ What you need to do To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below. +--------------------------+--------------------------------------------------+ | Product | Fix Recommendation | +--------------------------+--------------------------------------------------+ |Crowd Data Center and |Patch to a minimum fix version of 5.1.6, 5.2.1 or | |Server |latest | +--------------------------+--------------------------------------------------+ |Confluence Data Center and|Patch to a minimum fix version of 8.6.1 or latest | |Server | | +--------------------------+--------------------------------------------------+ |Bitbucket Data Center and |Patch to a minimum fix version of 7.21.18 or | |Server |latest | +--------------------------+--------------------------------------------------+ |Bamboo Data Center and |Patch to a minimum fix version of 9.2.7, 9.3.4, | |Server |9.3.5 or latest | +--------------------------+--------------------------------------------------+ |Jira Data Center and |Patch to a minimum fix version of 9.11.3 or latest| |Server | | +--------------------------+--------------------------------------------------+ To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal. Last modified on Nov 21, 2023 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZV1d8ckNZI30y1K9AQjQXQ//W12ayL/021SyMPIf5qGR/B+siDzVj0wN OR7FPFiyDbLlaAYNTKyVTKHwHKBJ2GCLhtR1RboyIL6AE32KfWO05nbr84Lm65c/ OsIuH0RTe/sg+ACUXsLxH54jwHDsAbkKe6VoF6Id1Y3/YuqLzq3eCWtJAutOG7ws x2qrvSJMGPNmH8WAZAXhJalwrkssM+1Sc/w8B4mhvh6adHbo8UzPKbnn2LtwWdZe Ycre3EzJWWgrD4r8F3bd54CT5KfibdwE8sytb177tm5eRjeerPfnlBwdEUQ3IFgI Isl0BZndVxc2JbUsTwAibq0RdMEk2O9nSdvOgH6Tu/3KOT9tHGpGDnOe6kH6bph3 gHlIqrKvGA67J6dHrsp2q8CelOgS7MyMcrZK4BzKRim1ySaNcBrnBEaD1TLBYxKz cJCCTTkI3YZzDqT9clltv3ec2dTLYqGwCONFQATlQq6QKuKu66VGH3dz0hsjUMi/ 7nDkgQKTYugDVGIIXIYpP6cQFDnwwJMxyVKPzN/d5IgrSs/5EYMDc2WqXNLhJIy/ 5tUPucRxp3i9zlYLlCwVNSmVLhrQCJoHzzhnJWdFGubrtFBF2npYgH2RZQFUb2Ga jKL1bNhFLRdOeZq0x9FPK/gLruDinML+uMrJVsnknmxnNU8KjzE6O1AVK4VrGdEL QlDf+BfVJQM= =Dhdl -----END PGP SIGNATURE-----