Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0291
Security Bulletin - January 16 2024
17 January 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bitbucket Data Center
Bitbucket Server
Bamboo Data Center and Server
Jira Data Center and Server
Jira Service Management Data Center and Server
Crowd Data Center and Server
Confluence Data Center
Confluence Server
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2024-21674 CVE-2024-21673 CVE-2024-21672
CVE-2023-46589 CVE-2023-43642 CVE-2023-39410
CVE-2023-36478 CVE-2023-34455 CVE-2023-34454
CVE-2023-34453 CVE-2023-22526 CVE-2023-6481
CVE-2023-6378 CVE-2023-5072 CVE-2023-3635
CVE-2022-44729 CVE-2022-42252 CVE-2022-40152
CVE-2022-4244 CVE-2021-40690 CVE-2020-26217
CVE-2020-25649 CVE-2018-10054 CVE-2017-7957
Original Bulletin:
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
Comment: CVSS (Max): 8.8 CVE-2020-26217 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Atlassian
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
January 2024 Security Bulletin
The vulnerabilities reported in this security bulletin include 28 high-severity
vulnerabilities which have been fixed in new versions of our products, as
detailed below. These vulnerabilities are discovered via our Bug Bounty program
and pen-testing processes, as well as third-party library scans.
NOTE: The vulnerabilities included in monthly Security Bulletins present a
lower impact than those published via Critical Security Advisories. Customers
can expect to receive those high-priority patches outside of our monthly
schedule as necessary.
To search for CVEs or check your products versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.
+---------------------------------------------------------------------------------------------------------+
| Released Security Vulnerabilities |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| Summary |Severity|CVSS |Affected | CVE ID | More Details |Public|
| | |Score|Versions | | | Date |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|Request Smuggling | | |All | | | |
|org.apache.tomcat:tomcat-coyote | | |versions | | |Jan |
|Dependency in Jira Software Data Center |High |7.5 |including|CVE-2022-42252|JSWSERVER-25468 |16, |
|and Server | | |and after| | |2024 |
| | | |9.4.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|XXE (XML External Entity Injection) | | |versions | | |Jan |
|jackson-databind Dependency in Jira |High |7.5 |including|CVE-2020-25649|JSWSERVER-25461 |16, |
|Software Data Center and Server | | |and after| | |2024 |
| | | |8.20.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|SSRF org.apache.xmlgraphics:batik-bridge | | |versions | | |Jan |
|Dependency in Jira Service Management |High |7.1 |including|CVE-2022-44729|JSDSERVER-14958 |16, |
|Data Center and Server | | |and after| | |2024 |
| | | |4.20.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|Info Disclosure | | |versions | | |Jan |
|org.apache.santuario:xmlsec Dependency in|High |7.5 |including|CVE-2021-40690|CWD-6190 |16, |
|Crowd Data Center and Server | | |and after| | |2024 |
| | | |3.4.6 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|Request Smuggling | | |All | | | |
|org.apache.tomcat:tomcat-catalina | | |versions | | |Jan |
|Dependency in Crowd Data Center and |High |7.5 |including|CVE-2023-46589|CWD-6191 |16, |
|Server | | |and after| | |2024 |
| | | |3.4.6 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|com.squareup.okio:okio-jvm Dependency in |High |7.5 |including|CVE-2023-3635 |CONFSERVER-93623|16, |
|Confluence Data Center and Server | | |and after| | |2024 |
| | | |7.13.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Confluence| | |versions | | |Jan |
|Data Center and Server |High |7.2 |including|CVE-2023-22526|CONFSERVER-93516|16, |
| | | |and after| | |2024 |
| | | |7.13.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Confluence| | |versions | | |Jan |
|Data Center and Server |High |8.3 |including|CVE-2024-21672|CONFSERVER-94064|16, |
| | | |and after| | |2024 |
| | | |2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Confluence| | |versions | | |Jan |
|Data Center and Server |High |8.0 |including|CVE-2024-21673|CONFSERVER-94065|16, |
| | | |and after| | |2024 |
| | | |1.0.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) in Confluence| | |versions | | |Jan |
|Data Center and Server |High |8.6 |including|CVE-2024-21674|CONFSERVER-94066|16, |
| | | |and after| | |2024 |
| | | |1.0.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-43642|BSERV-19100 |16, |
|in Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|ch.qos.logback:logback-core Dependency in|High |7.5 |including|CVE-2023-6481 |BSERV-19099 |16, |
|Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|ch.qos.logback:logback-core Dependency in|High |7.5 |including|CVE-2023-6378 |BSERV-19098 |16, |
|Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|Request Smuggling | | |All | | | |
|org.apache.tomcat.embed:tomcat-embed-core| | |versions | | |Jan |
|Dependency in Bitbucket Data Center and |High |7.5 |including|CVE-2023-46589|BSERV-19097 |16, |
|Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34455|BSERV-19096 |16, |
|in Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34454|BSERV-19095 |16, |
|in Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.xerial.snappy:snappy-java Dependency |High |7.5 |including|CVE-2023-34453|BSERV-19094 |16, |
|in Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |7.21.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.eclipse.jetty:jetty-http Dependency |High |7.5 |including|CVE-2023-36478|BSERV-19044 |16, |
|in Bitbucket Data Center and Server | | |and after| | |2024 |
| | | |8.9.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) org.json:json | | |versions | | |Jan |
|Dependency in Bitbucket Data Center and |High |7.5 |including|CVE-2023-5072 |BSERV-19037 |16, |
|Server | | |and after| | |2024 |
| | | |7.17.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.eclipse.jetty:jetty-http Dependency |High |7.5 |including|CVE-2023-36478|BAM-25623 |16, |
|in Bamboo Data Center and Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.apache.avro:avro Dependency in Bamboo|High |7.5 |including|CVE-2023-39410|BAM-25622 |16, |
|Data Center and Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) | | |versions | | |Jan |
|org.jvnet.hudson:xstream Dependency in |High |8.8 |including|CVE-2020-26217|BAM-25614 |16, |
|Bamboo Data Center and Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) | | |versions | | |Jan |
|org.jvnet.hudson:xstream Dependency in |High |7.5 |including|CVE-2017-7957 |BAM-25613 |16, |
|Bamboo Data Center and Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|Info Disclosure | | |All | | | |
|org.codehaus.plexus:plexus-utils | | |versions | | |Jan |
|Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2022-4244 |BAM-25612 |16, |
|Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|RCE (Remote Code Execution) | | |versions | | |Jan |
|com.h2database:h2 Dependency in Bamboo |High |8.8 |including|CVE-2018-10054|BAM-25609 |16, |
|Data Center and Server | | |and after| | |2024 |
| | | |9.1.0 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
| | | |All | | | |
|DoS (Denial of Service) org.json:json | | |versions | | |Jan |
|Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2023-5072 |BAM-25607 |16, |
|Server | | |and after| | |2024 |
| | | |9.2.3 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|Request Smuggling | | |All | | | |
|org.apache.tomcat:tomcat-catalina | | |versions | | |Jan |
|Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2023-46589|BAM-25606 |16, |
|Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
|DoS (Denial of Service) | | |All | | | |
|com.fasterxml.woodstox:woodstox-core | | |versions | | |Jan |
|Dependency in Bamboo Data Center and |High |7.5 |including|CVE-2022-40152|BAM-25640 |16, |
|Server | | |and after| | |2024 |
| | | |9.2.1 | | | |
+-----------------------------------------+--------+-----+---------+--------------+----------------+------+
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching
your instances to the latest version. If you're unable to do so, patch to the
minimum fix version in the table below.
+-------------------------+---------------------------------------------------+
| Product | Fix Recommendation |
+-------------------------+---------------------------------------------------+
|Bitbucket Data Center |Patch to a minimum fix version of 7.21.21, 8.9.9, |
| |8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest |
+-------------------------+---------------------------------------------------+
|Bitbucket Server |Patch to a minimum fix version of 7.21.21, 8.9.9, |
| |8.13.5, 8.14.4 |
+-------------------------+---------------------------------------------------+
|Bamboo Data Center and |Patch to a minimum fix version of 9.2.9, 9.3.6, |
|Server |9.4.2 or latest |
+-------------------------+---------------------------------------------------+
|Jira Data Center and |Patch to a minimum fix version of 9.4.13, 9.7.0 or |
|Server |latest |
+-------------------------+---------------------------------------------------+
|Jira Service Management |Patch to a minimum fix version of 4.20.30, 5.4.15, |
|Data Center and Server |5.12.2 or latest |
+-------------------------+---------------------------------------------------+
|Crowd Data Center and |Patch to a minimum fix version of 5.2.2 or latest |
|Server | |
+-------------------------+---------------------------------------------------+
|Confluence Data Center |Patch to a minimum fix version of 7.19.18, 8.5.5, |
| |8.7.2 or latest |
+-------------------------+---------------------------------------------------+
|Confluence Server |Patch to a minimum fix version of 7.19.18, 8.5.5 |
+-------------------------+---------------------------------------------------+
To search for CVEs or check your products versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.
Last modified on Jan 16, 2024
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZac0x8kNZI30y1K9AQjTbA//el3fXhKyuBHefjU3+fl0+qNQ/NRZ3MVA
7mw7uqfCkJ3DNCw+Mkz5TlLavNUw1//RBYvHcRId73PlwbFApG4z5WYOJ4pOLEKa
800/l2jU3ehd/TJNrgBXbZOwS5j6YQhCGr0P3Li6IYX7z/uAw4mTKp37wPEOGXfM
vviuJE4dhgWCoo8EeJ1Eh2VQqXYliJrj+BgfZdRwvw8FGhPmqfTdCs8uHD/lD2bs
Swiabc+DnGLChRGKPygZuZz+GFBMIkPh3h5AAq8BvO45BLxM/4orCd8VkXW4TUQi
XgQByENLJuVmhq2RnBaSq8cqDEGiYejN26BjnwKDEtSG/WfTvpHr6d4Qoi+NHoL0
Z8UPgOr5H8RFXIwzt8L/30H40xyGHxDxgSR0VILrfvN7I1yK+JfwFbdbRi5MpTNp
BRLDmZdauT0L7b+P1Wc3Q45XozMS5zEdhKn8AXt9cWCt55TqwvBjvWA95kHiNdc6
4dY1SyZqEC0QFugjxKz8IiPKeQiAIWIlncTzuXUvPvXKO9NSEEwotao96TnB6dnB
v7Zl/6BmYxEDPB4rKQVlddudV+zG6zXvT3Nc3KKCV78IAlXZI0fvpSXubPhNlxjs
npBTR0If6yFy8va+/7Ha6+4u0qLvQ+dsp6nZyWAA0O8CZexZeqgXR+ijKnlgq7oZ
oKLJdbA4raw=
=Rren
-----END PGP SIGNATURE-----