Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6945
Security Bulletin - November 21 2023
22 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Crowd Data Center and Server
Atlassian Confluence Data Center and Server
Atlassian Bitbucket Data Center and Server
Atlassian Bamboo Data Center and Server
Atlassian Jira Data Center and Server
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-44487 CVE-2023-42794 CVE-2023-34396
CVE-2023-22521 CVE-2023-22516 CVE-2023-2976
CVE-2022-45143 CVE-2022-42890 CVE-2022-42252
CVE-2022-42004 CVE-2022-42003 CVE-2022-41704
CVE-2022-40146 CVE-2022-28366 CVE-2022-25647
CVE-2021-46877 CVE-2021-40690 CVE-2021-37714
CVE-2021-28165 CVE-2020-36518 CVE-2017-9735
CVE-2017-7656
Original Bulletin:
https://confluence.atlassian.com/security/security-bulletin-november-21-2023-1318881573.html
Comment: CVSS (Max): 8.5 CVE-2023-22516 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Atlassian
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
November 2023 Security Bulletin
It is important to note that the issues included in this bulletin are a recent
increase in scope of our disclosures, previously we focused on disclosing
first-party, critical-severity vulnerabilities via critical advisories. The
high-severity vulnerabilities included in this bulletin have a lower impact
from the critical advisories we have published previously. While this change
results in an increase of visibility and disclosures, it does not mean there
are more vulnerabilities. Rather, that we are taking a more proactive approach
to vulnerability transparency and are committed to providing our customers with
the information they need to make informed decisions about updating our
products.
The vulnerabilities reported in this security bulletin include 26 high-severity
vulnerabilities which have been fixed in new versions of our products, released
in the last month. These vulnerabilities are discovered via our Bug Bounty
program and pen-testing processes, as well as third party library scans.
Created with Sketch.
Questions about the bulletin? Read more about this new format here.
+-----------------------------------------------------------------------------------------------------------+
| Released Security Vulnerabilities |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| Summary |Severity|CVSS |Affected | CVE ID | More Details |Public|
| | |Score|Versions | | | Date |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Info Disclosure com.google.guava:guava in | | |versions | | |Nov |
|Jira Software Data Center and Server |High |7.1 |including|CVE-2023-2976 |JSWSERVER-25415 |21, |
| | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|com.google.code.gson:gson in Jira Software |High |7.5 |including|CVE-2022-25647|JSWSERVER-25412 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) org.jsoup:jsoup in | | |versions | | |Nov |
|Jira Software Data Center and Server |High |7.5 |including|CVE-2021-37714|JSWSERVER-25410 |21, |
| | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Deserialization | | |versions | | |Nov |
|com.fasterxml.jackson.core:jackson-databind|High |7.5 |including|CVE-2022-42004|JSWSERVER-25409 |21, |
|in Jira Software Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|com.fasterxml.jackson.core:jackson-databind|High |7.5 |including|CVE-2022-42003|JSWSERVER-25408 |21, |
|in Jira Software Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) jackson-databind in| | |versions | | |Nov |
|Jira Software Data Center and Server |High |7.5 |including|CVE-2021-46877|JSWSERVER-25407 |21, |
| | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|com.fasterxml.jackson.core in Jira Software|High |7.5 |including|CVE-2020-36518|JSWSERVER-25406 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|org.apache.tomcat:tomcat-catalina in Jira |High |7.5 |including|CVE-2023-42794|JSWSERVER-25400 |21, |
|Software Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|io.netty:netty-codec-http2 in Jira Software|High |7.5 |including|CVE-2023-44487|JSWSERVER-25398 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Cache Poisoning | | |versions | | |Nov |
|org.eclipse.jetty:jetty-server in Jira |High |7.5 |including|CVE-2017-7656 |JSWSERVER-22148 |21, |
|Software Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|org.eclipse.jetty:jetty-io in Jira Software|High |7.5 |including|CVE-2021-28165|JSWSERVER-22145 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Info Disclosure | | |versions | | |Nov |
|org.eclipse.jetty:jetty-util in Jira |High |7.5 |including|CVE-2017-9735 |JSWSERVER-22141 |21, |
|Software Data Center and Server | | |and after| | |2023 |
| | | |8.20.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Crowd Data | | |versions | | |Nov |
|Center and Server |High |8 |including|CVE-2023-22521|CWD-6139 |21, |
| | | |and after| | |2023 |
| | | |3.4.6 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|SSRF org.apache.xmlgraphics in Confluence | | |versions | | |Nov |
|Data Center and Server |High |7.5 |including|CVE-2022-41704|CONFSERVER-93179|21, |
| | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|SSRF org.apache.xmlgraphics:batik-bridge in| | |versions | | |Nov |
|Confluence Data Center and Server |High |7.5 |including|CVE-2022-40146|CONFSERVER-93178|21, |
| | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|XSS org.apache.xmlgraphics:batik-script in | | |versions | | |Nov |
|Confluence Data Center and Server |High |7.5 |including|CVE-2022-42890|CONFSERVER-93175|21, |
| | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|org.apache.tomcat:tomcat-catalina | | |versions | | |Nov |
|Vulnerability in Confluence Data Center and|High |7.5 |including|CVE-2022-45143|CONFSERVER-93173|21, |
|Server | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|net.sourceforge.nekohtml:nekohtml in |High |7.5 |including|CVE-2022-28366|CONFSERVER-93169|21, |
|Confluence Data Center and Server | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Request Smuggling | | |versions | | |Nov |
|org.apache.tomcat:tomcat-coyote in |High |7.5 |including|CVE-2022-42252|CONFSERVER-93168|21, |
|Confluence Data Center and Server | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|org.apache.tomcat:tomcat-catalina in |High |7.5 |including|CVE-2023-42794|CONFSERVER-93164|21, |
|Confluence Data Center and Server | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|io.netty:netty-codec-http2 in Confluence |High |7.5 |including|CVE-2023-44487|CONFSERVER-93163|21, |
|Data Center and Server | | |and after| | |2023 |
| | | |6.13.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Third-Party Dependency in Bitbucket Data | | |versions | | |Nov |
|Center and Server |High |7.5 |including|CVE-2021-40690|BSERV-18986 |21, |
| | | |and after| | |2023 |
| | | |7.21.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) apache-struts in | | |versions | | |Nov |
|Bamboo Data Center and Server |High |7.5 |including|CVE-2023-34396|BAM-25501 |21, |
| | | |and after| | |2023 |
| | | |8.1.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|org.apache.tomcat:tomcat-catalina in Bamboo|High |7.5 |including|CVE-2023-42794|BAM-25470 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.1.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Nov |
|org.apache.tomcat:tomcat-coyote in Bamboo |High |7.5 |including|CVE-2023-44487|BAM-25469 |21, |
|Data Center and Server | | |and after| | |2023 |
| | | |8.1.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Bamboo Data | | |versions | | |Nov |
|Center and Server |High |8.5 |including|CVE-2023-22516|BAM-25168 |21, |
| | | |and after| | |2023 |
| | | |8.1.0 | | | |
+-------------------------------------------+--------+-----+---------+--------------+----------------+------+
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching
your instances to the latest version. If you're unable to do so, patch to the
minimum fix version in the table below.
+--------------------------+--------------------------------------------------+
| Product | Fix Recommendation |
+--------------------------+--------------------------------------------------+
|Crowd Data Center and |Patch to a minimum fix version of 5.1.6, 5.2.1 or |
|Server |latest |
+--------------------------+--------------------------------------------------+
|Confluence Data Center and|Patch to a minimum fix version of 8.6.1 or latest |
|Server | |
+--------------------------+--------------------------------------------------+
|Bitbucket Data Center and |Patch to a minimum fix version of 7.21.18 or |
|Server |latest |
+--------------------------+--------------------------------------------------+
|Bamboo Data Center and |Patch to a minimum fix version of 9.2.7, 9.3.4, |
|Server |9.3.5 or latest |
+--------------------------+--------------------------------------------------+
|Jira Data Center and |Patch to a minimum fix version of 9.11.3 or latest|
|Server | |
+--------------------------+--------------------------------------------------+
To search for CVEs or check your products versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.
Last modified on Nov 21, 2023
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZV1d8ckNZI30y1K9AQjQXQ//W12ayL/021SyMPIf5qGR/B+siDzVj0wN
OR7FPFiyDbLlaAYNTKyVTKHwHKBJ2GCLhtR1RboyIL6AE32KfWO05nbr84Lm65c/
OsIuH0RTe/sg+ACUXsLxH54jwHDsAbkKe6VoF6Id1Y3/YuqLzq3eCWtJAutOG7ws
x2qrvSJMGPNmH8WAZAXhJalwrkssM+1Sc/w8B4mhvh6adHbo8UzPKbnn2LtwWdZe
Ycre3EzJWWgrD4r8F3bd54CT5KfibdwE8sytb177tm5eRjeerPfnlBwdEUQ3IFgI
Isl0BZndVxc2JbUsTwAibq0RdMEk2O9nSdvOgH6Tu/3KOT9tHGpGDnOe6kH6bph3
gHlIqrKvGA67J6dHrsp2q8CelOgS7MyMcrZK4BzKRim1ySaNcBrnBEaD1TLBYxKz
cJCCTTkI3YZzDqT9clltv3ec2dTLYqGwCONFQATlQq6QKuKu66VGH3dz0hsjUMi/
7nDkgQKTYugDVGIIXIYpP6cQFDnwwJMxyVKPzN/d5IgrSs/5EYMDc2WqXNLhJIy/
5tUPucRxp3i9zlYLlCwVNSmVLhrQCJoHzzhnJWdFGubrtFBF2npYgH2RZQFUb2Ga
jKL1bNhFLRdOeZq0x9FPK/gLruDinML+uMrJVsnknmxnNU8KjzE6O1AVK4VrGdEL
QlDf+BfVJQM=
=Dhdl
-----END PGP SIGNATURE-----