Four RCE vulnerabilities affecting Atlassian products

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

1:04pm, 7 December 2023

TLP Rating: Clear

Four RCE vulnerabilities affecting Atlassian products

Four vulnerabilities have been discovered impacting a range of Atlassian collaboration products.
If exploited, each of the four vulnerabilities could allow an attacker to run unauthorised code or commands remotely on the affected systems. 
The vulnerabilities are tracked as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471.

What's happening

Systems affected

The following Atlassian products are affected:
CVE-2023-22522     
  • Confluence Data Center and Server
  • Confluence Data Center (Data Center Only)
CVE-2023-22523
  • Asset Discovery app for Jira Service Management products
CVE-2023-22524
  • Atlassian Companion App for MacOS for Confluence Server and Confluence Data Center
CVE-2022-1471 
  • Automation for Jira app (including Server Lite edition) 
  • Bitbucket Data Center and Server
  • Confluence Data Center and Server
  • Confluence Cloud Migration App 
  • Jira Core Data Center and Server
  • Jira Service Management Data Center and Server
  • Jira Software Data Center and Server
     
Check the vendor advisories (links below) for specific versions impacted.

What to do

Mitigation

Update the impacted Atlassian products as outlined below.

CVE-2023-22522
Update Confluence Data Center and Server to the following versions:
  • 7.19.17 (LTS),
  • 8.4.5, or
  • 8.5.4 (LTS)
Update Confluence Data Center to the following versions:
  • version 8.6.2 or later (Data Center Only)
  • 8.7.1 or later (Data Center Only)
CVE-2023-22523
Update the Asset Discovery app to the following versions:  
  • Asset Discovery 3.2.0-cloud or later
  • Asset Discovery 6.2.0 or later
CVE-2023-22524

Confirm that Atlassian Companion App for MacOS has automatically updated to version 2.0.0 or later. If this is not compatible with your Confluence Data Center and Server instance you can uninstall the Atlassian Companion App to mitigate the vulnerability.

CVE-2022-1471
  • Update the impacted Atlassian product to the version listed in the vendor advisory.
More details on how to update and mitigate these vulnerabilities are on the vendor advisories links below.

More information

If you require more information or further support, submit a report on our website or contact us 
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384