It’s time to patch again. Four critical security vulnerabilities in Atlassian software open the door to remote code execution (RCE) and subsequent lateral movement within enterprise environments. These are just the latest bugs to surface recently in software maker collaborations and DevOps platforms, which tend to be easy targets for cyber attackers.
The vulnerabilities for which Atlassian issued fixes on Tuesday include:
-
CVE-2022-1471 (CVSS Vulnerability Severity Score 9.8 out of 10): Deserialization in Snake YAML Library, affects multiple Atlassian software platforms.
-
CVE-2023-22522 (CVSS 9): Authenticated template injection vulnerability affecting Confluence Server and Data Center. According to Atlassian, someone logged into the system, even anonymously, could inject insecure user input into her Confluence page and achieve an RCE.
-
CVE-2023-22523 (CVSS 9.8): Privileged RCE for the Assets Discovery network scanning tool for Jira Service Management Cloud, servers, and datacenters. According to Atlassian’s advisory, “This vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.”
-
CVE-2023-22524 (CVSS 9.6): RCE for Atlassian Companion app for macOS. Used for file editing in Confluence Data Center and Server. “An attacker could use WebSockets to bypass Atlassian Companion blocklists and MacOS Gatekeeper, allowing them to execute code,” the advisory says.
Atlassian bugs are like a silver bullet for cyber attackers
The latest advisory comes following a series of bug disclosures by Atlassian related to both zero-day and post-patch exploits.
Atlassian software, specifically Confluence, is a popular web-based corporate wiki used for collaboration in cloud and hybrid server environments, and is a popular target for threat actors. The ability to connect to various databases with one click makes its usefulness to attackers unparalleled. Over 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.
If past is prologue, administrators must patch the latest bugs immediately. For example, in October, the software company published a security fix for the maximum severity RCE bug (CVSS 10) in Confluence Data Centers and Servers (CVE-2023-22515). This bug was being exploited prior to the patch being applied. China-sponsored Advanced Persistent Threat (APT) tracked as Storm-0062. A series of proof-of-concept exploits also emerged shortly after publication, paving the way for large-scale exploitation attempts.
Shortly after, in November, another RCE bug appeared in Confluence data centers and servers. This bug was originally exploited as an actual zero-day listed with a 9.1 CVSS score.However, after the patch was released, active ransomware and other cyber-attacks sprung up in large numbers. Atlassian prompted to raise severity score to 10.
In the same month, Atlassian announced that Bamboo Continuous integration (CI) and continuous delivery (CD) Software development servers, Confluence Data Center and Server, were both vulnerable to yet another maximum severity issue. This time it was an Apache Software Foundation (ASF) issue. ActiveMQ Message Broker (CVE-2023-46604, CVSS 10). A bug that has been weaponized as a weapon. “n days” bug, PoC exploit code was also quickly made available, allowing remote attackers to execute arbitrary commands on affected systems. Atlassian has released fixes for both platforms.