Alert GCSA-23158 - Vulnerabilita' nei prodotti Atlassian
******************************************************************
Alert ID: GCSA-23158
data: 07 dicembre 2023
titolo: Vulnerabilita' nei prodotti Atlassian
******************************************************************
:: Descrizione del problema
Atlassian ha rilasciato nuove versioni dei suoi prodotti
per risolvere quattro difetti di livello critico.
CVE-2022-1471 (CVSS score: 9.8)
CVE-2023-22522 (CVSS score: 9.0)
CVE-2023-22523 (CVSS score: 9.8)
CVE-2023-22524 (CVSS score: 9.6)
Atlassian informa che al momento in rete non risulta in corso
alcun sfruttamento delle precedenti vulnerabilita'.
Tuttavia, a causa della popolarita dei prodotti Atlassian e della loro
ampia implementazione negli ambienti aziendali, gli amministratori
di sistema dovrebbero dare priorita' all'applicazione
degli aggiornamenti disponibili.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Confluence Data Center e Server
Confluence Cloud Migration App (CCMA)
Companion App per MacOS
Bitbucket Data Center e Server
Jira Core Data Center e Server
Jira Software Data Center e Server
Jira Service Management Data Center e Server
Assets Discovery per Jira Service Management
Automation per Jira (A4J) app (inclusa la Server Lite edition)
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
:: Soluzioni
Aggiornare alle versioni indicate nei security advisories
:: Riferimenti
Atlassian Security Advisories & Bulletins
https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html
https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html
https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html
The Hacker News
https://thehackernews.com/2023/12/atlassian-releases-critical-software.html
Bleeping Computer News
https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-rce-flaws-across-multiple-products/
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22524
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZXHDRA0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCrh8AoMnYDMvRAcCMhxZ128LbO8Ol+QEYAKC8IG20fWOf
Q9PmBLcbDlU/h8NZZw==
=td7M
-----END PGP SIGNATURE-----
Alert ID: GCSA-23158
data: 07 dicembre 2023
titolo: Vulnerabilita' nei prodotti Atlassian
******************************************************************
:: Descrizione del problema
Atlassian ha rilasciato nuove versioni dei suoi prodotti
per risolvere quattro difetti di livello critico.
CVE-2022-1471 (CVSS score: 9.8)
CVE-2023-22522 (CVSS score: 9.0)
CVE-2023-22523 (CVSS score: 9.8)
CVE-2023-22524 (CVSS score: 9.6)
Atlassian informa che al momento in rete non risulta in corso
alcun sfruttamento delle precedenti vulnerabilita'.
Tuttavia, a causa della popolarita dei prodotti Atlassian e della loro
ampia implementazione negli ambienti aziendali, gli amministratori
di sistema dovrebbero dare priorita' all'applicazione
degli aggiornamenti disponibili.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Confluence Data Center e Server
Confluence Cloud Migration App (CCMA)
Companion App per MacOS
Bitbucket Data Center e Server
Jira Core Data Center e Server
Jira Software Data Center e Server
Jira Service Management Data Center e Server
Assets Discovery per Jira Service Management
Automation per Jira (A4J) app (inclusa la Server Lite edition)
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
:: Soluzioni
Aggiornare alle versioni indicate nei security advisories
:: Riferimenti
Atlassian Security Advisories & Bulletins
https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html
https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html
https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html
The Hacker News
https://thehackernews.com/2023/12/atlassian-releases-critical-software.html
Bleeping Computer News
https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-rce-flaws-across-multiple-products/
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22524
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZXHDRA0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCrh8AoMnYDMvRAcCMhxZ128LbO8Ol+QEYAKC8IG20fWOf
Q9PmBLcbDlU/h8NZZw==
=td7M
-----END PGP SIGNATURE-----