Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

March 2024 Security Bulletin Community Post

Hey Folks - today we have another Security bulletin going live for March 2024!

Bamboo CVSS 10

A notable feature of this bulletin is we have a CVSS 10.0 - CRITICAL Listed: CVE-2024-1597 for Bamboo.

Please Note that this vulnerability is present in our monthly Security Bulletin instead of a Critical Security Advisory because NO ATLASSIAN Products are actually AFFECTED by this vulnerability. The exploit relies on a particular configuration of Postgres that is NOT utilized by Atlassian. If we had an "Atlassian Risk Score" it would essentially be 0.

> This unexploitable Critical severity vulnerability has a lower assessed risk by Atlassian, so it's disclosed in the Monthly Security Bulletin instead of a Critical Security Advisory. **Bamboo and other Atlassian Data Center products are unaffected by this vulnerability** as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.


LTS Releases

Various Atlassian products had new LTS major versions released last week. In this case, we have fresh new LTS major versions for Bamboo and Bitbucket. We have both listed in our "recommended" versions in the security bulletin this month.



I also want to note that we have several CAC ( page visual changes queued for our site to make reading security bulletins (ESPECIALLY on Mobile) easier. These changes were on track to go out today alongside the bulletin but were sadly blocked. I'd expect to see this implemented in a few days. I apologize for being unable to update the March bulletin format. We should see a notable improvement in readability in future bulletins.

We also have a number of Vulnerability Disclosure Portal and API updates in the queue based on the great feedback from customers and the community post last month. I will share more details once they are released!

Once again, I am happy to answer any bulletin-related questions or feedback you might have.



Log in or Sign up to comment
Laurie Sciutti
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 19, 2024

So frustrating....  😣😒😤

Like # people like this
Cortland Bolles March 19, 2024

Confluence 8.8.1 with all of the fixes has not been published to docker yet, not sure if something happened in the publish process since it should have been out 3/5.

Like # people like this
Isaac_nl March 19, 2024

What does that Datacenter Only thing mean? 

Like Dan Breyen likes this
Lee Berg
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 19, 2024

@Isaac_nl  This just means these versions are NOT available for Server

Like # people like this
Tushar Gohel March 20, 2024

Why are fixes only available in the newer versions? Wouldn't it be beneficial to provide mitigation for the Long-Term Support (LTS) version as well? For large organizations, it's challenging to upgrade to a new version each month, especially when there are unresolved performance issues in the current version.


Like # people like this
William Lovins March 22, 2024

Even though the applications were released weeks ago and the security announcement was 3-4 days ago, neither of the application required have Docker versions released yet - Confluence (8.5.7 or 8.8.1)  or Bitbucket (8.18.1 or 8.19.0), while Jira 8.12.5 was available 6 days ago as a Docker. Is Docker still a supported deployment option? It is worrying when the CVSS Severity is listed as high and there isn't a readily available upgrade path and degrades trust in the overall security of the products.

Like Dan Breyen likes this
Cortland Bolles March 25, 2024

@William Lovins I think I figured out the issue, at least for confluence - they stopped publishing atlassian/confluence-server apparently now that server support has ended. There is another image atlassian/confluence that is updated and has 8.8.1.

Found this commit that pointed me in the right direction:

I'm guessing there is a similar change for bitbucket.

Like # people like this
March 25, 2024


Like Dan Breyen likes this
William Lovins March 25, 2024

@Cortland Bolles - You are right. If you go to atlassian/confluence-server - Docker Image | Docker Hub, it mentions there are 2 mirrored docker repos (with and without -server in the name). If you go to the shorter name, it mentions the updates won't be posted to the -server version after Feb 15th. Really, should should have been noted in the -server version as that's the one that stopped getting updates. 

In any event, needing to change to the docker repo without "-server" was my problem, so I hope this helps anyone who finds this in the future.


Like # people like this
AUG Leaders

Atlassian Community Events