Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.1680 Security Bulletin - March 19 2024 20 March 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bamboo Data Center and Server Bitbucket Data Center and Server Confluence Data Center and Server Jira Software Data Center and Server Publisher: Atlassian Operating System: UNIX Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-45685 CVE-2022-40150 CVE-2022-29546 CVE-2024-21634 CVE-2024-21677 CVE-2022-40146 CVE-2022-42890 CVE-2022-41704 CVE-2023-1436 CVE-2022-40149 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-36478 CVE-2022-28366 CVE-2023-5072 CVE-2024-1597 CVE-2022-34169 CVE-2023-39410 CVE-2022-24839 CVE-2022-3509 CVE-2023-43642 CVE-2022-45688 CVE-2022-3171 Original Bulletin: https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html Comment: CVSS (Max): 10.0 CVE-2024-1597 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Atlassian Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- March 2024 Security Bulletin This bulletin addresses vulnerabilities that have been resolved in Atlassian self-managed products. Cloud products are not affected. The vulnerabilities reported in this Security Bulletin include 24 high-severity vulnerabilities and 1 critical-severity vulnerability which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans. To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of March 19, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions. NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary. To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal. Created with Sketch. Read more about our March bulletin updates and provide feedback on our Community Post here. +---------------------------------------------------------------------------------------------------+ | Released Security Vulnerabilities | +----------+------------+---------------+-----------------------------------+--------------+--------+ |Product & | Affected | | | | CVSS | | Release | Versions |Fixed Versions | Vulnerability Summary | CVE ID |Severity| | Notes | | | | | | +----------+------------+---------------+-----------------------------------+--------------+--------+ | | | |SQLi (SQL Injection) | | | | | o 9.5.0 to| |org.postgresql:postgresql | | | | | 9.5.1 | |Dependency in Bamboo Data Center | | | | | o 9.4.0 to| |and Server | | | | | 9.4.3 | | | | | | | o 9.3.0 to| | | | | | | 9.3.6 | o 9.6.0 (LTS)|NOTE: CVE-2024-1597 is a critical | | | | | o 9.2.0 to| or 9.5.2 |vulnerability in a non-Atlassian |CVE-2024-1597 |10.0 | |Bamboo | 9.2.11 | recommended|Bamboo dependency. However, | |Critical| |Data | (LTS) | Data Center|Atlassian's application of the | | | |Center and| o 9.1.0 to| Only |dependency presents a lower | | | |Server | 9.1.3 | o 9.4.4 |assessed risk, which is why we are | | | | | o 9.0.0 to| o 9.2.12 |disclosing this vulnerability in | | | | | 9.0.4 | (LTS) |our monthly Security Bulletin | | | | | o 8.2.0 to| |instead of a Critical Security | | | | | 8.2.9 | |Advisory. | | | | | o Any | +-----------------------------------+--------------+--------+ | | earlier | |DoS (Denial of Service) | | | | | versions| |software.amazon.ion:ion-java |CVE-2024-21634|7.5 High| | | | |Dependency in Bamboo Data Center | | | | | | |and Server | | | +----------+------------+---------------+-----------------------------------+--------------+--------+ | | o 8.18.0 | | | | | | | o 8.17.0 | | | | | | | to | | | | | | | 8.17.1 | | | | | | | o 8.16.0 | | | | | | | to | | | | | | | 8.16.2 | | | | | | | o 8.15.0 | o 8.19.0 | | | | | | to | (LTS) | | | | | | 8.15.3 | recommended| | | | | | o 8.14.0 | Data Center| | | | | | to | Only | | | | | | 8.14.4 | o 8.18.1 | | | | | | o 8.13.0 | o 8.17.2 | | | | |Bitbucket | to | o 8.16.3 to |DoS (Denial of Service) | | | |Data | 8.13.5 | 8.16.4 |software.amazon.ion:ion-java | | | |Center and| o 8.12.0 | o 8.15.4 to |Dependency in Bitbucket Data Center|CVE-2024-21634|7.5 High| |Server | to | 8.15.5 |and Server | | | | | 8.12.3 | o 8.14.5 to | | | | | | o 8.11.0 | 8.14.6 | | | | | | to | o 8.13.6 | | | | | | 8.11.1 | o 8.9.10 to | | | | | | o 8.10.0 | 8.9.11 | | | | | | to | (LTS) | | | | | | 8.10.1 | o 7.21.22 to | | | | | | o 8.9.0 to| 7.21.23 | | | | | | 8.9.9 | | | | | | | (LTS) | | | | | | | o Any | | | | | | | earlier | | | | | | | versions| | | | | | | (except | | | | | | | 7.21.22)| | | | | +----------+------------+---------------+-----------------------------------+--------------+--------+ | | o 8.8.0 | | | | | | | o 8.7.0 to| | | | | | | 8.7.2 | | | | | | | | | | | | | | o 8.6.0 to| | | | | | | 8.6.2 | | | | | | | | | | | | | | o 8.5.0 to| | | | | | | 8.5.6 | | | | | | | (LTS) | | | | | | | | |Path Traversal in Confluence Data |CVE-2024-21677|8.3 High| | | o 8.4.0 to| |Center | | | | | 8.4.5 | | | | | | | | | | | | | | o 8.3.0 to| | | | | | | 8.3.4 | | | | | | | | | | | | | | o 8.2.0 to| | | | | | | 8.2.3 | | | | | | | | o 8.8.1 | | | | | | o 8.1.0 to| recommended| | | | |Confluence| 8.1.4 | Data Center| | | | |Data | | Only +-----------------------------------+--------------+--------+ |Center and| o 8.0.0 to| | | | | |Server | 8.0.4 | o 8.5.7 (LTS)| | | | | | | | | | | | | o 7.20.0 | o 7.19.20 | | | | | | to | (LTS) | | | | | | 7.20.3 | | | | | | | | | | | | | | o 7.19.0 | | | | | | | (LTS) to| | | | | | | 7.19.19 | | | | | | | (LTS) | |DoS (Denial of Service) | | | | | | |org.eclipse.jetty:jetty-http |CVE-2023-36478|7.5 High| | | o 7.18.0 | |Dependency in Confluence Data | | | | | to | |Center and Server | | | | | 7.18.3 | | | | | | | | | | | | | | o 7.17.0 | | | | | | | to | | | | | | | 7.17.5 | | | | | | | | | | | | | | o Any | | | | | | | earlier | | | | | | | versions| | | | | | | | | | | | +----------+------------+---------------+-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.codehaus.jettison:jettison |CVE-2022-40150|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.xerial.snappy:snappy-java |CVE-2023-34455|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |RCE (Remote Code Execution) | | | | | | |org.apache.xmlgraphics:batik-script|CVE-2022-42890|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |RCE (Remote Code Execution) | | | | | | |org.apache.xmlgraphics:batik-bridge|CVE-2022-41704|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |SSRF (Server-Side Request Forgery) | | | | | | |org.apache.xmlgraphics:batik-bridge|CVE-2022-40146|7.5 High| | | | |Dependency in Jira Software Data | | | | | o 9.12.0 | |Center and Server | | | | | to | +-----------------------------------+--------------+--------+ | | 9.12.2 | |DoS (Denial of Service) | | | | | LTS | |org.codehaus.jettison:jettison |CVE-2023-1436 |7.5 High| | | o 9.11.0 | |Dependency in Jira Software Data | | | | | to | |Center and Server | | | | | 9.11.3 | +-----------------------------------+--------------+--------+ | | o 9.10.0 | |DoS (Denial of Service) | | | | | to | |org.codehaus.jettison:jettison |CVE-2022-45685|7.5 High| | | 9.10.2 | |Dependency in Jira Software Data | | | | | o 9.9.0 to| |Center and Server | | | | | 9.9.2 | o 9.14.1 +-----------------------------------+--------------+--------+ | | o 9.8.0 to| recommended|DoS (Denial of Service) | | | | | 9.8.2 | or 9.14.0 |net.sourceforge.nekohtml:nekohtml |CVE-2022-29546|7.5 High| | | o 9.7.0 to| Data Center|Dependency in Jira Software Data | | | | | 9.7.2 | Only |Center and Server | | | | | o 9.6.0 | o 9.13.0 to +-----------------------------------+--------------+--------+ | | o 9.5.0 to| 9.13.1 |DoS (Denial of Service) | | | | | 9.5.1 | o 9.12.3 to |org.codehaus.jettison:jettison |CVE-2022-40149|7.5 High| | | o 9.4.0 to| 9.12.5 |Dependency in Jira Software Data | | | | | 9.4.17 | (LTS) |Center and Server | | | | | LTS | o 9.4.18 +-----------------------------------+--------------+--------+ |Jira | o 9.3.0 to| (LTS) |DoS (Denial of Service) | | | |Software | 9.3.3 | |org.apache.avro:avro Dependency in |CVE-2023-39410|7.5 High| |Data | o 9.2.0 to| |Jira Software Data Center and | | | |Center and| 9.2.1 | |Server | | | |Server | o 9.1.0 to| +-----------------------------------+--------------+--------+ | | 9.1.1 | |DoS (Denial of Service) | | | | | o 9.0.0 | |org.xerial.snappy:snappy-java |CVE-2023-34454|7.5 High| | | o Any | |Dependency in Jira Software Data | | | | | earlier | |Center and Server | | | | | versions| +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.xerial.snappy:snappy-java |CVE-2023-34453|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.xerial.snappy:snappy-java |CVE-2023-43642|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |com.google.protobuf:protobuf-java |CVE-2022-3509 |7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |com.google.protobuf:protobuf-java |CVE-2022-3171 |7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.json:json Dependency in Jira |CVE-2023-5072 |7.5 High| | | | |Software Data Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |org.json:json Dependency in Jira |CVE-2022-45688|7.5 High| | | | |Software Data Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |RCE (Remote Code Execution) | | | | | | |xalan:xalan Dependency in Jira |CVE-2022-34169|7.5 High| | | | |Software Data Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |net.sourceforge.nekohtml:nekohtml |CVE-2022-24839|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | | | | +-----------------------------------+--------------+--------+ | | | |DoS (Denial of Service) | | | | | | |net.sourceforge.nekohtml:nekohtml |CVE-2022-28366|7.5 High| | | | |Dependency in Jira Software Data | | | | | | |Center and Server | | | +----------+------------+---------------+-----------------------------------+--------------+--------+ Frequently Asked Questions: o Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version. o What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages. ? Jira Software Data Center ? Jira Service Management ? Confluence Data Center ? Bitbucket Data Center ? Bamboo Data Center ? Crowd Data Center o I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table. o Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal. Last modified on Mar 19, 2024 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================