Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2373
Security Bulletin - April 16 2024
17 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Bamboo Data Center and Server
Atlassian Confluence Data Center and Server
Jira Service Management Data Center and Server
Jira Software Data Center and Server
Publisher: Atlassian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2024-22259 CVE-2024-21634 CVE-2023-1370
CVE-2024-22257 CVE-2024-22243 CVE-2023-52428
Original Bulletin:
https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html
Comment: CVSS (Max): 8.2* CVE-2024-22257 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
CVSS Source: Atlassian, [VMware], NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
April 2024 Security Bulletin
The vulnerabilities reported in this Security Bulletin include 7 high-severity
vulnerabilities which have been fixed in new versions of our products, released
in the last month. These vulnerabilities are discovered via our Bug Bounty
program, pen-testing processes, and third-party library scans.
To fix all the vulnerabilities impacting your product(s), Atlassian recommends
patching your instances to the latest version or one of the Fixed Versions for
each product below. The listed Fixed Versions for each product are current as
of April 16, 2024 (date of publication); visit the linked product Release Notes
for the most up-to-date versions.
Feel free to share feedback and discuss this bulletin on our most recent Trust
& Security Community Post, and search for CVEs or check your product versions
for disclosed vulnerabilities with the Vulnerability Disclosure Portal.
+------------------------------------------------------------------------------------------------------------------+
| Released Security Vulnerabilities |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
|Product & | Affected | | | | CVSS |
| Release | Versions | Fixed Versions | Vulnerability Summary | CVE ID |Severity|
| Notes | | | | | |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
| | o 9.6.0 | | | | |
| | o 9.5.0 to| |org.springframework.security:spring-security-core| | |
| | 9.5.2 | |Dependency in Bamboo Data Center and Server |CVE-2024-22257|8.2 High|
| | o 9.4.0 to| | | | |
| | 9.4.3 | o 9.6.1 (LTS) | | | |
| | o 9.3.0 to| recommended +-------------------------------------------------+--------------+--------+
| | 9.3.6 | | | | |
|Bamboo | o 9.2.0 to| Data Center |SSRF (Server-Side Request Forgery) | | |
|Data | 9.2.12 | Only |org.springframework:spring-web Dependency in |CVE-2024-22259|8.1 High|
|Center and| (LTS) | o 9.5.3 Data |Bamboo Data Center and Server | | |
|Server | o 9.1.0 to| Center Only | | | |
| | 9.1.3 | o 9.2.13 | | | |
| | o 9.0.0 to| (LTS) +-------------------------------------------------+--------------+--------+
| | 9.0.4 | | | | |
| | o 8.2.0 to| |SSRF (Server-Side Request Forgery) | | |
| | 8.2.9 | |org.springframework:spring-web Dependency in |CVE-2024-22243|8.1 High|
| | o Any | |Bamboo Data Center and Server | | |
| | earlier | | | | |
| | versions| | | | |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
| | o 8.7.0 | | | | |
| | | | | | |
| | o 8.6.0 to| | | | |
| | 8.6.2 | | | | |
| | | | | | |
| | o 8.5.0 to| | | | |
| | 8.5.6 | | | | |
| | (LTS) | | | | |
| | | | | | |
| | o 8.4.0 to| | | | |
| | 8.4.5 | | | | |
| | | | | | |
| | o 8.3.0 to| | | | |
| | 8.3.4 | | | | |
| | | o 8.9.0 Data | | | |
| | o 8.2.0 to| Center Only | | | |
| | 8.2.3 | | | | |
| | | o 8.8.0 Data | | | |
| | o 8.1.0 to| Center Only | | | |
| | 8.1.4 | o 8.7.1 to | | | |
|Confluence| | 8.7.2 Data |DoS (Denial of Service) | | |
|Data | o 8.0.0 to| Center Only |software.amazon.ion:ion-java Dependency in |CVE-2024-21634|7.5 High|
|Center and| 8.0.4 | o 8.5.7 to |Confluence Data Center and Server | | |
|Server | | 8.5.8 (LTS) | | | |
| | o 7.20.0 | recommended | | | |
| | to | | | | |
| | 7.20.3 | o 7.19.20 to | | | |
| | | 7.19.21 | | | |
| | o 7.19.0 | (LTS) | | | |
| | to | | | | |
| | 7.19.19 | | | | |
| | (LTS) | | | | |
| | | | | | |
| | o 7.18.0 | | | | |
| | to | | | | |
| | 7.18.3 | | | | |
| | | | | | |
| | o 7.17.0 | | | | |
| | to | | | | |
| | 7.17.5 | | | | |
| | | | | | |
| | o Any | | | | |
| | earlier | | | | |
| | versions| | | | |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
| | o 9.14.0 | | | | |
| | to | | | | |
| | 9.14.1 | | | | |
| | o 9.13.0 | | | | |
| | to | | | | |
| | 9.13.1 | | | | |
| | o 9.12.0 | | | | |
| | to | | | | |
| | 9.12.5 | |DoS (Denial of Service) | | |
| | LTS | |software.amazon.ion:ion-java Dependency in Jira |CVE-2024-21634|7.5 High|
| | o 9.11.0 | |Software Data Center and Server | | |
| | to | | | | |
| | 9.11.3 | o 9.15.0 Data | | | |
| | o 9.10.0 | Center Only | | | |
| | to | o 9.12.6 to | | | |
| | 9.10.2 | 9.12.7 | | | |
| | o 9.9.0 to| (LTS) | | | |
|Jira | 9.9.2 | recommended | | | |
|Software | o 9.8.0 to| o 9.4.18 to | | | |
|Data | 9.8.2 | 9.4.20 +-------------------------------------------------+--------------+--------+
|Center and| o 9.7.0 to| (LTS) | | | |
|Server | 9.7.2 | | | | |
| | o 9.6.0 | | | | |
| | o 9.5.0 to| | | | |
| | 9.5.1 | | | | |
| | o 9.4.0 to| | | | |
| | 9.4.17 | | | | |
| | LTS | | | | |
| | o 9.3.0 to| |DoS (Denial of Service) net.minidev:json-smart | | |
| | 9.3.3 | |Dependency in Jira Software Data Center and |CVE-2023-1370 |7.5 High|
| | o 9.2.0 to| |Server | | |
| | 9.2.1 | | | | |
| | o 9.1.0 to| | | | |
| | 9.1.1 | | | | |
| | o 9.0.0 | | | | |
| | o Any | | | | |
| | earlier | | | | |
| | versions| | | | |
| | | | | | |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
| | o from | | | | |
| | 5.12.0 | | | | |
| | to | | | | |
| | 5.12.5 | | | | |
| | (LTS) | | | | |
| | | | | | |
| | o from | | | | |
| | 5.11.0 | | | | |
| | to | | | | |
| | 5.11.3 | | | | |
| | | | | | |
| | o from | | | | |
| | 5.10.0 | | | | |
| | to | | | | |
| | 5.10.2 | | | | |
| | | | | | |
| | o from | o 5.15.0, | | | |
| | 5.9.0 to| 5.14.0, | | | |
| | 5.9.2 | 5.14.1 Data | | | |
|Jira | | Center Only | | | |
|Service | o from | |Denial of Service (DoS) | | |
|Management| 5.8.0 to| o 5.12.6 |com.nimbusds:nimbus-jose-jwt dependency in Jira |CVE-2023-52428|7.5 High|
|Data | 5.8.2 | (LTS) |Service Management Data Center and Server | | |
|Center and| | recommended | | | |
|Server | o from | | | | |
| | 5.7.0 to| o 5.4.19 | | | |
| | 5.7.2 | (LTS) | | | |
| | | | | | |
| | o from | | | | |
| | 5.6.0 to| | | | |
| | 5.6.2 | | | | |
| | | | | | |
| | o from | | | | |
| | 5.5.0 to| | | | |
| | 5.5.1 | | | | |
| | | | | | |
| | o from | | | | |
| | 5.4.0 to| | | | |
| | 5.4.18 | | | | |
| | (LTS) | | | | |
| | | | | | |
| | o Any | | | | |
| | earlier | | | | |
| | versions| | | | |
+----------+------------+----------------+-------------------------------------------------+--------------+--------+
Frequently Asked Questions:
o Are there any mitigations available? There are no mitigations available for
CVEs listed in this bulletin
o I am running a server version of my product - can I still upgrade? Be aware
that upgrading with an expired server license will make your instance
unavailable. Please refer to Atlassian's server end of support
documentation
o Why is my Feature Version not listed in a Fixed Version? You may be using
an unsupported version and need to patch to the latest version or Long-Term
Support (LTS) version.
o What are the most up-to-date Data Center product versions? You can always
check the software download portal or visit the product-specific download
pages.
- Jira Software Data Center
- Jira Service Management
- Confluence Data Center
- Bitbucket Data Center
- Bamboo Data Center
- Crowd Data Center
o I am using an LTS, why is it not listed in the Fixed Versions? Your LTS
version may not have been updated yet or a backported fix may not have been
feasible. Please see our Security Bug Fix Policy for more information. We
recommend upgrading your products to the latest versions. For the latest
fixed versions, visit the release notes linked in the vulnerability table.
o Questions about the bulletin, have feedback? Let us know! Read more about
our bulletins and feel free to contribute feedback on our latest Community
Post
Last modified on Apr 16, 2024
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================