Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.1680
Security Bulletin - March 19 2024
20 March 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bamboo Data Center and Server
Bitbucket Data Center and Server
Confluence Data Center and Server
Jira Software Data Center and Server
Publisher: Atlassian
Operating System: UNIX
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-45685 CVE-2022-40150 CVE-2022-29546
CVE-2024-21634 CVE-2024-21677 CVE-2022-40146
CVE-2022-42890 CVE-2022-41704 CVE-2023-1436
CVE-2022-40149 CVE-2023-34455 CVE-2023-34454
CVE-2023-34453 CVE-2023-36478 CVE-2022-28366
CVE-2023-5072 CVE-2024-1597 CVE-2022-34169
CVE-2023-39410 CVE-2022-24839 CVE-2022-3509
CVE-2023-43642 CVE-2022-45688 CVE-2022-3171
Original Bulletin:
https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html
Comment: CVSS (Max): 10.0 CVE-2024-1597 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Atlassian
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
March 2024 Security Bulletin
This bulletin addresses vulnerabilities that have been resolved in Atlassian
self-managed products. Cloud products are not affected.
The vulnerabilities reported in this Security Bulletin include 24 high-severity
vulnerabilities and 1 critical-severity vulnerability which have been fixed in
new versions of our products, released in the last month. These vulnerabilities
are discovered via our Bug Bounty program, pen-testing processes, and
third-party library scans.
To fix all the vulnerabilities impacting your product(s), Atlassian recommends
patching your instances to the latest version or one of the Fixed Versions for
each product below. The listed Fixed Versions for each product are current as
of March 19, 2024 (date of publication); visit the linked product Release Notes
for the most up-to-date versions.
NOTE: The vulnerabilities included in monthly Security Bulletins present a
lower impact than those published via Critical Security Advisories. Customers
can expect to receive those high-priority patches outside of our monthly
schedule as necessary.
To search for CVEs or check your product versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.
Created with Sketch.
Read more about our March bulletin updates and provide feedback on our
Community Post here.
+---------------------------------------------------------------------------------------------------+
| Released Security Vulnerabilities |
+----------+------------+---------------+-----------------------------------+--------------+--------+
|Product & | Affected | | | | CVSS |
| Release | Versions |Fixed Versions | Vulnerability Summary | CVE ID |Severity|
| Notes | | | | | |
+----------+------------+---------------+-----------------------------------+--------------+--------+
| | | |SQLi (SQL Injection) | | |
| | o 9.5.0 to| |org.postgresql:postgresql | | |
| | 9.5.1 | |Dependency in Bamboo Data Center | | |
| | o 9.4.0 to| |and Server | | |
| | 9.4.3 | | | | |
| | o 9.3.0 to| | | | |
| | 9.3.6 | o 9.6.0 (LTS)|NOTE: CVE-2024-1597 is a critical | | |
| | o 9.2.0 to| or 9.5.2 |vulnerability in a non-Atlassian |CVE-2024-1597 |10.0 |
|Bamboo | 9.2.11 | recommended|Bamboo dependency. However, | |Critical|
|Data | (LTS) | Data Center|Atlassian's application of the | | |
|Center and| o 9.1.0 to| Only |dependency presents a lower | | |
|Server | 9.1.3 | o 9.4.4 |assessed risk, which is why we are | | |
| | o 9.0.0 to| o 9.2.12 |disclosing this vulnerability in | | |
| | 9.0.4 | (LTS) |our monthly Security Bulletin | | |
| | o 8.2.0 to| |instead of a Critical Security | | |
| | 8.2.9 | |Advisory. | | |
| | o Any | +-----------------------------------+--------------+--------+
| | earlier | |DoS (Denial of Service) | | |
| | versions| |software.amazon.ion:ion-java |CVE-2024-21634|7.5 High|
| | | |Dependency in Bamboo Data Center | | |
| | | |and Server | | |
+----------+------------+---------------+-----------------------------------+--------------+--------+
| | o 8.18.0 | | | | |
| | o 8.17.0 | | | | |
| | to | | | | |
| | 8.17.1 | | | | |
| | o 8.16.0 | | | | |
| | to | | | | |
| | 8.16.2 | | | | |
| | o 8.15.0 | o 8.19.0 | | | |
| | to | (LTS) | | | |
| | 8.15.3 | recommended| | | |
| | o 8.14.0 | Data Center| | | |
| | to | Only | | | |
| | 8.14.4 | o 8.18.1 | | | |
| | o 8.13.0 | o 8.17.2 | | | |
|Bitbucket | to | o 8.16.3 to |DoS (Denial of Service) | | |
|Data | 8.13.5 | 8.16.4 |software.amazon.ion:ion-java | | |
|Center and| o 8.12.0 | o 8.15.4 to |Dependency in Bitbucket Data Center|CVE-2024-21634|7.5 High|
|Server | to | 8.15.5 |and Server | | |
| | 8.12.3 | o 8.14.5 to | | | |
| | o 8.11.0 | 8.14.6 | | | |
| | to | o 8.13.6 | | | |
| | 8.11.1 | o 8.9.10 to | | | |
| | o 8.10.0 | 8.9.11 | | | |
| | to | (LTS) | | | |
| | 8.10.1 | o 7.21.22 to | | | |
| | o 8.9.0 to| 7.21.23 | | | |
| | 8.9.9 | | | | |
| | (LTS) | | | | |
| | o Any | | | | |
| | earlier | | | | |
| | versions| | | | |
| | (except | | | | |
| | 7.21.22)| | | | |
+----------+------------+---------------+-----------------------------------+--------------+--------+
| | o 8.8.0 | | | | |
| | o 8.7.0 to| | | | |
| | 8.7.2 | | | | |
| | | | | | |
| | o 8.6.0 to| | | | |
| | 8.6.2 | | | | |
| | | | | | |
| | o 8.5.0 to| | | | |
| | 8.5.6 | | | | |
| | (LTS) | | | | |
| | | |Path Traversal in Confluence Data |CVE-2024-21677|8.3 High|
| | o 8.4.0 to| |Center | | |
| | 8.4.5 | | | | |
| | | | | | |
| | o 8.3.0 to| | | | |
| | 8.3.4 | | | | |
| | | | | | |
| | o 8.2.0 to| | | | |
| | 8.2.3 | | | | |
| | | o 8.8.1 | | | |
| | o 8.1.0 to| recommended| | | |
|Confluence| 8.1.4 | Data Center| | | |
|Data | | Only +-----------------------------------+--------------+--------+
|Center and| o 8.0.0 to| | | | |
|Server | 8.0.4 | o 8.5.7 (LTS)| | | |
| | | | | | |
| | o 7.20.0 | o 7.19.20 | | | |
| | to | (LTS) | | | |
| | 7.20.3 | | | | |
| | | | | | |
| | o 7.19.0 | | | | |
| | (LTS) to| | | | |
| | 7.19.19 | | | | |
| | (LTS) | |DoS (Denial of Service) | | |
| | | |org.eclipse.jetty:jetty-http |CVE-2023-36478|7.5 High|
| | o 7.18.0 | |Dependency in Confluence Data | | |
| | to | |Center and Server | | |
| | 7.18.3 | | | | |
| | | | | | |
| | o 7.17.0 | | | | |
| | to | | | | |
| | 7.17.5 | | | | |
| | | | | | |
| | o Any | | | | |
| | earlier | | | | |
| | versions| | | | |
| | | | | | |
+----------+------------+---------------+-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.codehaus.jettison:jettison |CVE-2022-40150|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.xerial.snappy:snappy-java |CVE-2023-34455|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |RCE (Remote Code Execution) | | |
| | | |org.apache.xmlgraphics:batik-script|CVE-2022-42890|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |RCE (Remote Code Execution) | | |
| | | |org.apache.xmlgraphics:batik-bridge|CVE-2022-41704|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |SSRF (Server-Side Request Forgery) | | |
| | | |org.apache.xmlgraphics:batik-bridge|CVE-2022-40146|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | o 9.12.0 | |Center and Server | | |
| | to | +-----------------------------------+--------------+--------+
| | 9.12.2 | |DoS (Denial of Service) | | |
| | LTS | |org.codehaus.jettison:jettison |CVE-2023-1436 |7.5 High|
| | o 9.11.0 | |Dependency in Jira Software Data | | |
| | to | |Center and Server | | |
| | 9.11.3 | +-----------------------------------+--------------+--------+
| | o 9.10.0 | |DoS (Denial of Service) | | |
| | to | |org.codehaus.jettison:jettison |CVE-2022-45685|7.5 High|
| | 9.10.2 | |Dependency in Jira Software Data | | |
| | o 9.9.0 to| |Center and Server | | |
| | 9.9.2 | o 9.14.1 +-----------------------------------+--------------+--------+
| | o 9.8.0 to| recommended|DoS (Denial of Service) | | |
| | 9.8.2 | or 9.14.0 |net.sourceforge.nekohtml:nekohtml |CVE-2022-29546|7.5 High|
| | o 9.7.0 to| Data Center|Dependency in Jira Software Data | | |
| | 9.7.2 | Only |Center and Server | | |
| | o 9.6.0 | o 9.13.0 to +-----------------------------------+--------------+--------+
| | o 9.5.0 to| 9.13.1 |DoS (Denial of Service) | | |
| | 9.5.1 | o 9.12.3 to |org.codehaus.jettison:jettison |CVE-2022-40149|7.5 High|
| | o 9.4.0 to| 9.12.5 |Dependency in Jira Software Data | | |
| | 9.4.17 | (LTS) |Center and Server | | |
| | LTS | o 9.4.18 +-----------------------------------+--------------+--------+
|Jira | o 9.3.0 to| (LTS) |DoS (Denial of Service) | | |
|Software | 9.3.3 | |org.apache.avro:avro Dependency in |CVE-2023-39410|7.5 High|
|Data | o 9.2.0 to| |Jira Software Data Center and | | |
|Center and| 9.2.1 | |Server | | |
|Server | o 9.1.0 to| +-----------------------------------+--------------+--------+
| | 9.1.1 | |DoS (Denial of Service) | | |
| | o 9.0.0 | |org.xerial.snappy:snappy-java |CVE-2023-34454|7.5 High|
| | o Any | |Dependency in Jira Software Data | | |
| | earlier | |Center and Server | | |
| | versions| +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.xerial.snappy:snappy-java |CVE-2023-34453|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.xerial.snappy:snappy-java |CVE-2023-43642|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |com.google.protobuf:protobuf-java |CVE-2022-3509 |7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |com.google.protobuf:protobuf-java |CVE-2022-3171 |7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.json:json Dependency in Jira |CVE-2023-5072 |7.5 High|
| | | |Software Data Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |org.json:json Dependency in Jira |CVE-2022-45688|7.5 High|
| | | |Software Data Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |RCE (Remote Code Execution) | | |
| | | |xalan:xalan Dependency in Jira |CVE-2022-34169|7.5 High|
| | | |Software Data Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |net.sourceforge.nekohtml:nekohtml |CVE-2022-24839|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
| | | +-----------------------------------+--------------+--------+
| | | |DoS (Denial of Service) | | |
| | | |net.sourceforge.nekohtml:nekohtml |CVE-2022-28366|7.5 High|
| | | |Dependency in Jira Software Data | | |
| | | |Center and Server | | |
+----------+------------+---------------+-----------------------------------+--------------+--------+
Frequently Asked Questions:
o Why is my Feature Version not listed in a Fixed Version? You may be using
an unsupported version and need to patch to the latest version or Long-Term
Support (LTS) version.
o What are the most up-to-date Data Center product versions? You can always
check the software download portal or visit the product-specific download
pages.
? Jira Software Data Center
? Jira Service Management
? Confluence Data Center
? Bitbucket Data Center
? Bamboo Data Center
? Crowd Data Center
o I am using an LTS, why is it not listed in the Fixed Versions? Your LTS
version may not have been updated yet or a backported fix may not have been
feasible. Please see our Security Bug Fix Policy for more information. We
recommend upgrading your products to the latest versions. For the latest
fixed versions, visit the release notes linked in the vulnerability table.
o Questions about the bulletin, have feedback? Let us know! Read more about
our bulletins and feel free to contribute feedback on our latest Community
Post
To search for CVEs or check your products versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.
Last modified on Mar 19, 2024
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================