Article Details

Atlassian patches critical RCE flaws across multiple products. Atlassian has published security advisories for four critical remote code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, along with a companion app for macOS. All security issues addressed received a critical-severity score of at least 9.0 out of 10, based on Atlassian's internal assessment. However, the company advises companies to evaluate applicability according to their IT environment. The company marked none of the security issues as being exploited in the wild. However, due to the popularity of Atlassian products and their extensive deployment in corporate environments, system administrators should prioritize applying the available updates. The set of four RCE vulnerabilities addressed this month are received the following identifiers: To address all four of the above problems, users are recommended to update to one of the following product versions: If uninstalling Asset Discovery agents to apply the patch for CVE-2023-22523 is not possible at the moment or has to be delayed, Atlassian provides a temporary mitigation that consists in blocking the port used for communication with agents, which by default is 51337. In the case of CVE-2023-22522, there is no mitigation solution. If administrators cannot apply the patch immediately, Atlassian recommends administrators to backup affected instances and take them offline. If administrators are unable to apply the patch for CVE-2023-22524, the company recommends uninstalling the Atlassian Companion App.