Action Required: RCE Vulnerabilities Identified in Multiple Products

Hello community,

We have discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.

Please carefully review all of the Critical Security Advisories impacting your Atlassian product(s) to verify affected versions and instructions.

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion app for MacOS

  • Confluence Data Center and Server (former and present customers)

CVE-2023-22523 - RCE Vulnerability in Assets Discovery app

  • Jira Service Management Cloud

  • Jira Service Management Data Center and Server

CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

  • Confluence Data Center and Server

CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products

  • Bitbucket Data Center and Server

  • Confluence Data Center and Server

  • Confluence Cloud Migration Assistant (CCMA) app

  • Jira Core Data Center and Server

  • Jira Service Management Data Center and Server

  • Jira Software Data Center and Server

  • Automation for Jira (A4J) app (including Server Lite edition)

We found these vulnerabilities as part of an ongoing security review that we are conducting in addition to our continuous security assessments. Your security is our top priority, and we believe that acting proactively is the best approach to protecting your data.

Please follow the linked Critical Security Advisories for future updates.


If you have questions, please raise a support request via instructions included in the advisory.

Thank you,

Atlassian Trust team

This Trust and Community post is a cross-post of the approved post by Andy Heinzer: https://community.atlassian.com/t5/Announcement-articles/Action-Required-RCE-Vulnerabilities-Identified-in-Multiple/ba-p/2552220

 

2 comments

Comment

Log in or Sign up to comment
Stephen Hodgson
Contributor
December 6, 2023

How did Atlassian allow CVE-2022-1471 to remain in all these products for a full year after that CVE was released?

This should have been picked up by any respectable package scanner a long time ago.

Like # people like this
Leo Leung December 8, 2023

My Server products maintenance has been renewed every year since 2009 but it expired in Oct 2022 as I can see that support for Server products will end on Feb. 15, 2024.

Is there any way to provide security updates for security vulnerabilities that existed for years prior which affects all versions but only found and fixed in the latest release in 2023 without having to pay up to USD$3000 for each product to access the latest updates?

Some of these security flaws existed for the whole time I paid maintenance for the last 13 years!

TAGS
AUG Leaders

Atlassian Community Events