Alert GCSA-24028 - Vulnerabilita' nei prodotti Atlassian
******************************************************************
Alert ID: GCSA-24028
data: 22 Febbraio 2024
titolo: Vulnerabilita' nei prodotti Atlassian
******************************************************************
:: Descrizione del problema
Atlassian ha pubblicato un security bulletin
relativo a 11 vulnerabilita' di livello alto,
che vengono risolte con nuove versioni dei prodotti.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Assets Discovery versioni dalla 6.0.0, 6.2.0, 6.2.0-jira-dc-8 e precedenti
Confluence Data Center e Server versioni fino alla 8.7.1, 8.6.2, 8.5.4 (LTS),
8.4.5, 8.3.4, 8.2.3, 8.1.4, 8.0.4, 7.20.3, 7.19.18 (LTS), 7.18.3, 7.17.5 e precedenti
Jira Software Data Center and Server versioni fino alla 9.12.1 (LTS), 9.11.3,
9.10.2, 9.9.2, 9.8.2, 9.7.2, 9.6.0, 9.5.1, 9.4.14 (LTS), 9.3.3, 9.2.1, 9.1.1,
8.22.6 e precedenti
Jira Service Management Data Center e Server versioni fino alla 5.13.0,
5.12.2 (LTS), 5.11.3, 5.10.2, 5.9.2, 5.8.2, 5.7.2, 5.6.2, 5.5.1,
5.4.15 (LTS), 5.3.1, 5.2.1, 5.1.1, 5.0, 4.22.6 e precedenti
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
Denial of Service (DoS)
Rivelazione di informazioni (ID)
Cross-site Scripting (XSS)
:: Soluzioni
Atlassian consiglia di aggiornare tutti i prodotti alla versione piu' recente.
La versione piu' recente di Confluence e' disponibile al seguente link
https://www.atlassian.com/software/confluence/download-archives
:: Riferimenti
Atlassian - Security Advisories & Bulletins
https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html
https://www.atlassian.com/trust/data-protection/vulnerabilities
https://jira.atlassian.com/browse/JSDSERVER-15067
https://jira.atlassian.com/browse/CONFSERVER-94513
https://www.atlassian.com/trust/security/advisories
https://www.atlassian.com/trust/data-protection/vulnerabilities
CSIRT Italia
https://www.csirt.gov.it/contenuti/rilevate-vulnerabilita-in-prodotti-atlassian-al01-240221-csirt-ita
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21682
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZddLEgAKCRDBnEyTZRJg
Qn2PAJ4r4tc0607F00+9VTcGr4F+wZyIrQCdEI9uT9BuHohvbyuHj/dmCNNnKbI=
=w33k
-----END PGP SIGNATURE-----
Alert ID: GCSA-24028
data: 22 Febbraio 2024
titolo: Vulnerabilita' nei prodotti Atlassian
******************************************************************
:: Descrizione del problema
Atlassian ha pubblicato un security bulletin
relativo a 11 vulnerabilita' di livello alto,
che vengono risolte con nuove versioni dei prodotti.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Assets Discovery versioni dalla 6.0.0, 6.2.0, 6.2.0-jira-dc-8 e precedenti
Confluence Data Center e Server versioni fino alla 8.7.1, 8.6.2, 8.5.4 (LTS),
8.4.5, 8.3.4, 8.2.3, 8.1.4, 8.0.4, 7.20.3, 7.19.18 (LTS), 7.18.3, 7.17.5 e precedenti
Jira Software Data Center and Server versioni fino alla 9.12.1 (LTS), 9.11.3,
9.10.2, 9.9.2, 9.8.2, 9.7.2, 9.6.0, 9.5.1, 9.4.14 (LTS), 9.3.3, 9.2.1, 9.1.1,
8.22.6 e precedenti
Jira Service Management Data Center e Server versioni fino alla 5.13.0,
5.12.2 (LTS), 5.11.3, 5.10.2, 5.9.2, 5.8.2, 5.7.2, 5.6.2, 5.5.1,
5.4.15 (LTS), 5.3.1, 5.2.1, 5.1.1, 5.0, 4.22.6 e precedenti
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
Denial of Service (DoS)
Rivelazione di informazioni (ID)
Cross-site Scripting (XSS)
:: Soluzioni
Atlassian consiglia di aggiornare tutti i prodotti alla versione piu' recente.
La versione piu' recente di Confluence e' disponibile al seguente link
https://www.atlassian.com/software/confluence/download-archives
:: Riferimenti
Atlassian - Security Advisories & Bulletins
https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html
https://www.atlassian.com/trust/data-protection/vulnerabilities
https://jira.atlassian.com/browse/JSDSERVER-15067
https://jira.atlassian.com/browse/CONFSERVER-94513
https://www.atlassian.com/trust/security/advisories
https://www.atlassian.com/trust/data-protection/vulnerabilities
CSIRT Italia
https://www.csirt.gov.it/contenuti/rilevate-vulnerabilita-in-prodotti-atlassian-al01-240221-csirt-ita
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21682
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZddLEgAKCRDBnEyTZRJg
Qn2PAJ4r4tc0607F00+9VTcGr4F+wZyIrQCdEI9uT9BuHohvbyuHj/dmCNNnKbI=
=w33k
-----END PGP SIGNATURE-----