Atlassian Jira, Confluence, Bitbucket and macOS Companion app users are warned to update their software immediately due to four critical vulnerabilities allowing for remote code execution.
Atlassian, an Australian software company, has more than 260,000 customers in more than 190 countries, including two-thirds of Fortune 500 companies.
One of the most severe bugs, rated by Atlassian as a 9.8 using the CVSS scale, requires Jira customers to uninstall Assets Discovery agent software from all devices before installing a patch to the main Assets Discovery application.
Another vulnerability, also rated 9.8, dates back to 2022 and is now known to impact a dozen Atlassian products including multiple Jira, Confluence and Bitbucket offerings.
Critical Atlassian vulnerabilities pose malware risks.
Security flaws affecting Jira, Confluence, Bitbucket and the Atlassian Companion app for macOS could be used by attackers to remotely execute malicious code.
Atlassian has released patches for all of these vulnerabilities, emphasizing the software updates are the only effective fix.
Ransomware exploitation of a previous Confluence bug, tracked as CVE-2023-22518, was reported last month.
One of the newly reported vulnerabilities, tracked as CVE-2023-22522, enables authenticated users to add code to a Confluence template, which is executed upon loading a Confluence page with that template.
Atlassian said users with anonymous access can also edit templates, which could help attackers evade detection.
The other three vulnerabilities could be exploited by unauthenticated attackers, the spokesperson said.
Another vulnerability impacts Jira customers that use the Assets Discovery application.
Atlassian said an RCE vulnerability, tracked as CVE-2023-22523, exists between Assets Discovery and Assets Discovery agents - software that allows offline devices to be detected by the Assets Discovery app.
All devices with an Asset Discovery agent installed need to have it manually uninstalled prior to the Asset Discovery app being updated for the vulnerability to be effectively patched, according to Atlassian.
Atlassian recommends blocking the port used to communicate with the agents as a temporary mitigation if all agents can not be immediately uninstalled.
Users of the Atlassian Companion app for Mac computers are also warned to update due to a flaw in which the WebSockets protocol can be used to bypass MacOS Gatekeeper and Atlassian Companion's blocklist to execute code on Confluence pages.
The Atlassian advisory also discloses that an RCE vulnerability discovered in December 2022 impacts 12 products across the Jira, Confluence and Bitbucket brands.
Atlassian said updating the SnakeYAML library is not sufficient, and the affected products must be updated to their latest versions to remediate the issue.
A full list of affected products is provided in Atlassian's advisory.
In addition to the discovery and exploitation of CVE-2023-22518 in November, Atlassian patched two other high-severity vulnerabilities affecting Jira, Confluence, Bitbucket and Bamboo in September.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 12 Dec 2023 14:43:20 +0000