Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.0291 Security Bulletin - January 16 2024 17 January 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bitbucket Data Center Bitbucket Server Bamboo Data Center and Server Jira Data Center and Server Jira Service Management Data Center and Server Crowd Data Center and Server Confluence Data Center Confluence Server Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2024-21674 CVE-2024-21673 CVE-2024-21672 CVE-2023-46589 CVE-2023-43642 CVE-2023-39410 CVE-2023-36478 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-22526 CVE-2023-6481 CVE-2023-6378 CVE-2023-5072 CVE-2023-3635 CVE-2022-44729 CVE-2022-42252 CVE-2022-40152 CVE-2022-4244 CVE-2021-40690 CVE-2020-26217 CVE-2020-25649 CVE-2018-10054 CVE-2017-7957 Original Bulletin: https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html Comment: CVSS (Max): 8.8 CVE-2020-26217 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Atlassian Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- January 2024 Security Bulletin The vulnerabilities reported in this security bulletin include 28 high-severity vulnerabilities which have been fixed in new versions of our products, as detailed below. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third-party library scans. NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary. To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal. +---------------------------------------------------------------------------------------------------------+ | Released Security Vulnerabilities | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | Summary |Severity|CVSS |Affected | CVE ID | More Details |Public| | | |Score|Versions | | | Date | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |Request Smuggling | | |All | | | | |org.apache.tomcat:tomcat-coyote | | |versions | | |Jan | |Dependency in Jira Software Data Center |High |7.5 |including|CVE-2022-42252|JSWSERVER-25468 |16, | |and Server | | |and after| | |2024 | | | | |9.4.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |XXE (XML External Entity Injection) | | |versions | | |Jan | |jackson-databind Dependency in Jira |High |7.5 |including|CVE-2020-25649|JSWSERVER-25461 |16, | |Software Data Center and Server | | |and after| | |2024 | | | | |8.20.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |SSRF org.apache.xmlgraphics:batik-bridge | | |versions | | |Jan | |Dependency in Jira Service Management |High |7.1 |including|CVE-2022-44729|JSDSERVER-14958 |16, | |Data Center and Server | | |and after| | |2024 | | | | |4.20.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |Info Disclosure | | |versions | | |Jan | |org.apache.santuario:xmlsec Dependency in|High |7.5 |including|CVE-2021-40690|CWD-6190 |16, | |Crowd Data Center and Server | | |and after| | |2024 | | | | |3.4.6 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |Request Smuggling | | |All | | | | |org.apache.tomcat:tomcat-catalina | | |versions | | |Jan | |Dependency in Crowd Data Center and |High |7.5 |including|CVE-2023-46589|CWD-6191 |16, | |Server | | |and after| | |2024 | | | | |3.4.6 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |com.squareup.okio:okio-jvm Dependency in |High |7.5 |including|CVE-2023-3635 |CONFSERVER-93623|16, | |Confluence Data Center and Server | | |and after| | |2024 | | | | |7.13.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Confluence| | |versions | | |Jan | |Data Center and Server |High |7.2 |including|CVE-2023-22526|CONFSERVER-93516|16, | | | | |and after| | |2024 | | | | |7.13.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Confluence| | |versions | | |Jan | |Data Center and Server |High |8.3 |including|CVE-2024-21672|CONFSERVER-94064|16, | | | | |and after| | |2024 | | | | |2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Confluence| | |versions | | |Jan | |Data Center and Server |High |8.0 |including|CVE-2024-21673|CONFSERVER-94065|16, | | | | |and after| | |2024 | | | | |1.0.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) in Confluence| | |versions | | |Jan | |Data Center and Server |High |8.6 |including|CVE-2024-21674|CONFSERVER-94066|16, | | | | |and after| | |2024 | | | | |1.0.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-43642|BSERV-19100 |16, | |in Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |ch.qos.logback:logback-core Dependency in|High |7.5 |including|CVE-2023-6481 |BSERV-19099 |16, | |Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |ch.qos.logback:logback-core Dependency in|High |7.5 |including|CVE-2023-6378 |BSERV-19098 |16, | |Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |Request Smuggling | | |All | | | | |org.apache.tomcat.embed:tomcat-embed-core| | |versions | | |Jan | |Dependency in Bitbucket Data Center and |High |7.5 |including|CVE-2023-46589|BSERV-19097 |16, | |Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34455|BSERV-19096 |16, | |in Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34454|BSERV-19095 |16, | |in Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34453|BSERV-19094 |16, | |in Bitbucket Data Center and Server | | |and after| | |2024 | | | | |7.21.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.eclipse.jetty:jetty-http Dependency |High |7.5 |including|CVE-2023-36478|BSERV-19044 |16, | |in Bitbucket Data Center and Server | | |and after| | |2024 | | | | |8.9.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) org.json:json | | |versions | | |Jan | |Dependency in Bitbucket Data Center and |High |7.5 |including|CVE-2023-5072 |BSERV-19037 |16, | |Server | | |and after| | |2024 | | | | |7.17.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.eclipse.jetty:jetty-http Dependency |High |7.5 |including|CVE-2023-36478|BAM-25623 |16, | |in Bamboo Data Center and Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.apache.avro:avro Dependency in Bamboo|High |7.5 |including|CVE-2023-39410|BAM-25622 |16, | |Data Center and Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) | | |versions | | |Jan | |org.jvnet.hudson:xstream Dependency in |High |8.8 |including|CVE-2020-26217|BAM-25614 |16, | |Bamboo Data Center and Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) | | |versions | | |Jan | |org.jvnet.hudson:xstream Dependency in |High |7.5 |including|CVE-2017-7957 |BAM-25613 |16, | |Bamboo Data Center and Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |Info Disclosure | | |All | | | | |org.codehaus.plexus:plexus-utils | | |versions | | |Jan | |Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2022-4244 |BAM-25612 |16, | |Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |RCE (Remote Code Execution) | | |versions | | |Jan | |com.h2database:h2 Dependency in Bamboo |High |8.8 |including|CVE-2018-10054|BAM-25609 |16, | |Data Center and Server | | |and after| | |2024 | | | | |9.1.0 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ | | | |All | | | | |DoS (Denial of Service) org.json:json | | |versions | | |Jan | |Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2023-5072 |BAM-25607 |16, | |Server | | |and after| | |2024 | | | | |9.2.3 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |Request Smuggling | | |All | | | | |org.apache.tomcat:tomcat-catalina | | |versions | | |Jan | |Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2023-46589|BAM-25606 |16, | |Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ |DoS (Denial of Service) | | |All | | | | |com.fasterxml.woodstox:woodstox-core | | |versions | | |Jan | |Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2022-40152|BAM-25640 |16, | |Server | | |and after| | |2024 | | | | |9.2.1 | | | | +-----------------------------------------+--------+-----+---------+--------------+----------------+------+ What you need to do To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below. +-------------------------+---------------------------------------------------+ | Product | Fix Recommendation | +-------------------------+---------------------------------------------------+ |Bitbucket Data Center |Patch to a minimum fix version of 7.21.21, 8.9.9, | | |8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest | +-------------------------+---------------------------------------------------+ |Bitbucket Server |Patch to a minimum fix version of 7.21.21, 8.9.9, | | |8.13.5, 8.14.4 | +-------------------------+---------------------------------------------------+ |Bamboo Data Center and |Patch to a minimum fix version of 9.2.9, 9.3.6, | |Server |9.4.2 or latest | +-------------------------+---------------------------------------------------+ |Jira Data Center and |Patch to a minimum fix version of 9.4.13, 9.7.0 or | |Server |latest | +-------------------------+---------------------------------------------------+ |Jira Service Management |Patch to a minimum fix version of 4.20.30, 5.4.15, | |Data Center and Server |5.12.2 or latest | +-------------------------+---------------------------------------------------+ |Crowd Data Center and |Patch to a minimum fix version of 5.2.2 or latest | |Server | | +-------------------------+---------------------------------------------------+ |Confluence Data Center |Patch to a minimum fix version of 7.19.18, 8.5.5, | | |8.7.2 or latest | +-------------------------+---------------------------------------------------+ |Confluence Server |Patch to a minimum fix version of 7.19.18, 8.5.5 | +-------------------------+---------------------------------------------------+ To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal. Last modified on Jan 16, 2024 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZac0x8kNZI30y1K9AQjTbA//el3fXhKyuBHefjU3+fl0+qNQ/NRZ3MVA 7mw7uqfCkJ3DNCw+Mkz5TlLavNUw1//RBYvHcRId73PlwbFApG4z5WYOJ4pOLEKa 800/l2jU3ehd/TJNrgBXbZOwS5j6YQhCGr0P3Li6IYX7z/uAw4mTKp37wPEOGXfM vviuJE4dhgWCoo8EeJ1Eh2VQqXYliJrj+BgfZdRwvw8FGhPmqfTdCs8uHD/lD2bs Swiabc+DnGLChRGKPygZuZz+GFBMIkPh3h5AAq8BvO45BLxM/4orCd8VkXW4TUQi XgQByENLJuVmhq2RnBaSq8cqDEGiYejN26BjnwKDEtSG/WfTvpHr6d4Qoi+NHoL0 Z8UPgOr5H8RFXIwzt8L/30H40xyGHxDxgSR0VILrfvN7I1yK+JfwFbdbRi5MpTNp BRLDmZdauT0L7b+P1Wc3Q45XozMS5zEdhKn8AXt9cWCt55TqwvBjvWA95kHiNdc6 4dY1SyZqEC0QFugjxKz8IiPKeQiAIWIlncTzuXUvPvXKO9NSEEwotao96TnB6dnB v7Zl/6BmYxEDPB4rKQVlddudV+zG6zXvT3Nc3KKCV78IAlXZI0fvpSXubPhNlxjs npBTR0If6yFy8va+/7Ha6+4u0qLvQ+dsp6nZyWAA0O8CZexZeqgXR+ijKnlgq7oZ oKLJdbA4raw= =Rren -----END PGP SIGNATURE-----