Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2373 Security Bulletin - April 16 2024 17 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Bamboo Data Center and Server Atlassian Confluence Data Center and Server Jira Service Management Data Center and Server Jira Software Data Center and Server Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2024-22259 CVE-2024-21634 CVE-2023-1370 CVE-2024-22257 CVE-2024-22243 CVE-2023-52428 Original Bulletin: https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html Comment: CVSS (Max): 8.2* CVE-2024-22257 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) CVSS Source: Atlassian, [VMware], NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- April 2024 Security Bulletin The vulnerabilities reported in this Security Bulletin include 7 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans. To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of April 16, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions. Feel free to share feedback and discuss this bulletin on our most recent Trust & Security Community Post, and search for CVEs or check your product versions for disclosed vulnerabilities with the Vulnerability Disclosure Portal. +------------------------------------------------------------------------------------------------------------------+ | Released Security Vulnerabilities | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ |Product & | Affected | | | | CVSS | | Release | Versions | Fixed Versions | Vulnerability Summary | CVE ID |Severity| | Notes | | | | | | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ | | o 9.6.0 | | | | | | | o 9.5.0 to| |org.springframework.security:spring-security-core| | | | | 9.5.2 | |Dependency in Bamboo Data Center and Server |CVE-2024-22257|8.2 High| | | o 9.4.0 to| | | | | | | 9.4.3 | o 9.6.1 (LTS) | | | | | | o 9.3.0 to| recommended +-------------------------------------------------+--------------+--------+ | | 9.3.6 | | | | | |Bamboo | o 9.2.0 to| Data Center |SSRF (Server-Side Request Forgery) | | | |Data | 9.2.12 | Only |org.springframework:spring-web Dependency in |CVE-2024-22259|8.1 High| |Center and| (LTS) | o 9.5.3 Data |Bamboo Data Center and Server | | | |Server | o 9.1.0 to| Center Only | | | | | | 9.1.3 | o 9.2.13 | | | | | | o 9.0.0 to| (LTS) +-------------------------------------------------+--------------+--------+ | | 9.0.4 | | | | | | | o 8.2.0 to| |SSRF (Server-Side Request Forgery) | | | | | 8.2.9 | |org.springframework:spring-web Dependency in |CVE-2024-22243|8.1 High| | | o Any | |Bamboo Data Center and Server | | | | | earlier | | | | | | | versions| | | | | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ | | o 8.7.0 | | | | | | | | | | | | | | o 8.6.0 to| | | | | | | 8.6.2 | | | | | | | | | | | | | | o 8.5.0 to| | | | | | | 8.5.6 | | | | | | | (LTS) | | | | | | | | | | | | | | o 8.4.0 to| | | | | | | 8.4.5 | | | | | | | | | | | | | | o 8.3.0 to| | | | | | | 8.3.4 | | | | | | | | o 8.9.0 Data | | | | | | o 8.2.0 to| Center Only | | | | | | 8.2.3 | | | | | | | | o 8.8.0 Data | | | | | | o 8.1.0 to| Center Only | | | | | | 8.1.4 | o 8.7.1 to | | | | |Confluence| | 8.7.2 Data |DoS (Denial of Service) | | | |Data | o 8.0.0 to| Center Only |software.amazon.ion:ion-java Dependency in |CVE-2024-21634|7.5 High| |Center and| 8.0.4 | o 8.5.7 to |Confluence Data Center and Server | | | |Server | | 8.5.8 (LTS) | | | | | | o 7.20.0 | recommended | | | | | | to | | | | | | | 7.20.3 | o 7.19.20 to | | | | | | | 7.19.21 | | | | | | o 7.19.0 | (LTS) | | | | | | to | | | | | | | 7.19.19 | | | | | | | (LTS) | | | | | | | | | | | | | | o 7.18.0 | | | | | | | to | | | | | | | 7.18.3 | | | | | | | | | | | | | | o 7.17.0 | | | | | | | to | | | | | | | 7.17.5 | | | | | | | | | | | | | | o Any | | | | | | | earlier | | | | | | | versions| | | | | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ | | o 9.14.0 | | | | | | | to | | | | | | | 9.14.1 | | | | | | | o 9.13.0 | | | | | | | to | | | | | | | 9.13.1 | | | | | | | o 9.12.0 | | | | | | | to | | | | | | | 9.12.5 | |DoS (Denial of Service) | | | | | LTS | |software.amazon.ion:ion-java Dependency in Jira |CVE-2024-21634|7.5 High| | | o 9.11.0 | |Software Data Center and Server | | | | | to | | | | | | | 9.11.3 | o 9.15.0 Data | | | | | | o 9.10.0 | Center Only | | | | | | to | o 9.12.6 to | | | | | | 9.10.2 | 9.12.7 | | | | | | o 9.9.0 to| (LTS) | | | | |Jira | 9.9.2 | recommended | | | | |Software | o 9.8.0 to| o 9.4.18 to | | | | |Data | 9.8.2 | 9.4.20 +-------------------------------------------------+--------------+--------+ |Center and| o 9.7.0 to| (LTS) | | | | |Server | 9.7.2 | | | | | | | o 9.6.0 | | | | | | | o 9.5.0 to| | | | | | | 9.5.1 | | | | | | | o 9.4.0 to| | | | | | | 9.4.17 | | | | | | | LTS | | | | | | | o 9.3.0 to| |DoS (Denial of Service) net.minidev:json-smart | | | | | 9.3.3 | |Dependency in Jira Software Data Center and |CVE-2023-1370 |7.5 High| | | o 9.2.0 to| |Server | | | | | 9.2.1 | | | | | | | o 9.1.0 to| | | | | | | 9.1.1 | | | | | | | o 9.0.0 | | | | | | | o Any | | | | | | | earlier | | | | | | | versions| | | | | | | | | | | | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ | | o from | | | | | | | 5.12.0 | | | | | | | to | | | | | | | 5.12.5 | | | | | | | (LTS) | | | | | | | | | | | | | | o from | | | | | | | 5.11.0 | | | | | | | to | | | | | | | 5.11.3 | | | | | | | | | | | | | | o from | | | | | | | 5.10.0 | | | | | | | to | | | | | | | 5.10.2 | | | | | | | | | | | | | | o from | o 5.15.0, | | | | | | 5.9.0 to| 5.14.0, | | | | | | 5.9.2 | 5.14.1 Data | | | | |Jira | | Center Only | | | | |Service | o from | |Denial of Service (DoS) | | | |Management| 5.8.0 to| o 5.12.6 |com.nimbusds:nimbus-jose-jwt dependency in Jira |CVE-2023-52428|7.5 High| |Data | 5.8.2 | (LTS) |Service Management Data Center and Server | | | |Center and| | recommended | | | | |Server | o from | | | | | | | 5.7.0 to| o 5.4.19 | | | | | | 5.7.2 | (LTS) | | | | | | | | | | | | | o from | | | | | | | 5.6.0 to| | | | | | | 5.6.2 | | | | | | | | | | | | | | o from | | | | | | | 5.5.0 to| | | | | | | 5.5.1 | | | | | | | | | | | | | | o from | | | | | | | 5.4.0 to| | | | | | | 5.4.18 | | | | | | | (LTS) | | | | | | | | | | | | | | o Any | | | | | | | earlier | | | | | | | versions| | | | | +----------+------------+----------------+-------------------------------------------------+--------------+--------+ Frequently Asked Questions: o Are there any mitigations available? There are no mitigations available for CVEs listed in this bulletin o I am running a server version of my product - can I still upgrade? Be aware that upgrading with an expired server license will make your instance unavailable. Please refer to Atlassian's server end of support documentation o Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version. o What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages. - Jira Software Data Center - Jira Service Management - Confluence Data Center - Bitbucket Data Center - Bamboo Data Center - Crowd Data Center o I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table. o Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post Last modified on Apr 16, 2024 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================