Morning Jira Guys and Gals! Well, flexibility is the name of the game today. I had planned to continue my “What is Jira” series with “Why Jira?” but that changed with an email I got last night. You see, Atlassian has let us know about four fresh CVEs impacting their products. While new CVEs are anything but new, the thing that impresses today is how many products they impact. So, as a PSA, let’s review the CVEs, discuss how bad they are, and what you can do to keep yourself safe.
What’s all the noise about?
At midnight, Atlassian lifted an embargo on these CVEs and sent out an email about four vulnerabilities that collectively impact Bitbucket Server & DC, Confluence Server & DC, Jira Service Management Cloud, Server, & DC, and Jira Software Server & DC. Yes – you read that correctly – even Cloud is implicated!
For the record, the CVEs are (with documentation links)
- CVE-2022-1471 (Downstream Vulnerability – Impacting multiple products)
- CVE-2023-22522 (Confluence)
- CVE-2023-22523 (Assets Discovery)
- CVE-2023-22524 (Atlassian Companion App for MacOS)
These four vulnerabilities are classified as a Remote Code Execution (RCE) Vulnerability. For a reminder, that lets an attacker run code of their choosing on your system without having to authenticate. If that sounds bad, it’s because it’s about as bad as it can get. They can do anything using this, from getting remote access to your system to mining for crypto, joining your system to a botnet, and even launching a ransomware attack. For the three 2023 CVEs, the attacker doesn’t need privileges, and for everything but the Companion App, the attacker doesn’t even need a user to do anything.
These are all ranked with a score greater than 9 – making them critical vulnerabilities. Mark my words – if it isn’t already, this vulnerability will be in attack toolkits and actively used by the end of the week.
And don’t get me wrong – the technical impact is bad. However, how fast you should respond depends on what information your system has. This very morning, a security-minded friend sent me this:
“If you’re ever asked by a client how serious a vulnerability like this is, you should also think about privacy. If the server contains information that would cause harm if exposed, that’s another consideration.”
So yes, absolutely consider the technical implications of this. But also balance that against privacy concerns. What sort of data does your system have? That might increase the urgency of an issue like this another notch or two.
You’ve Scared me enough – what can I do?
Thankfully, mitigations are already available, but you should plan on putting them into your system as soon as possible. I’ll cover each affected product and tell you how to keep your systems safe.
Automation for Jira Marketplace App (Regular and Server Lite variants)
Impacted versions:
- 9.0.1
- 9.0.0
- <= 8.2.2
SAFE VERSIONS – INSTALL THESE ASAP
*Note: These are the marketplace app version – NOT the Jira version
- 8.2.4 (for Jira 8.5.0-9.11.3)
- 9.0.2 (for Jira 8.20.0 – 9.11.3)
- 9.0.3 (for Jira 8.20.0-9.12.0)
- 9.0.4 (for Jira 8.20.0-9.12.0)
Bitbucket Data Center & Server
Impacted versions:
- Anything 7.20-7.17
- 7.21.15 and below
- Anything 8.7-8.0
- 8.8.6 through 8.8.0
- 8.9.3-8.9.0
- 8.10.3-8.10.0
- 8.11.2-8.11.0
- 8.12.0
SAFE VERSIONS – INSTALL THESE ASAP
- 7.21.16 (LTS)
- 8.8.7
- 8.9.4 (LTS)
- 8.10.4
- 8.11.3
- 8.12.1
- 8.13.0
- 8.14.0
- 8.15.0 (Data Center Only)
- 8.16.0 (Data Center Only)
Confluence Data Center & Server
Impacted versions:
- Anything 6.13.X – 6.15.X
- Anything 7.0.X – 7.12.X
- 7.13.0 through 7.13.17
- Anything 7.14.X through 7.18.X
- 7.19.0 through 7.19.9
- Anything 7.20.x
- Anything 8.0.x through 8.2.X
- 8.3.0
SAFE VERSIONS – INSTALL THESE ASAP
- 7.19.17(LTS)
- 8.4.5
- 8.5.4(LTS)
- 8.6.2 (Data Center Only)
- 8.7.1 (Data Center Only)
Confluence Cloud Migration App
Impacted versions:
- Anything less than (and not including) 3.4.0
SAFE VERSIONS – INSTALL THESE ASAP
- 3.4.0 or Better
Jira Core & Software Data Center and Server
Impacted versions:
- 9.4.0-9.4.12
- 9.5.x-9.10.x
- 9.11.0
- 9.11.1
SAFE VERSIONS – INSTALL THESE ASAP
- 9.11.2
- 9.12.0 (LTS)
- 9.4.14 (LTS)
Jira Service Management Data Center and Server
Impacted versions:
- 5.4.0-5.4.12
- 5.5.X-5.10.X
- 5.11.0
- 5.11.1
SAFE VERSIONS – INSTALL THESE ASAP
- 5.11.2
- 5.12.0 (LTS)
- 5.4.14 (LTS)
Assets Discovery (Jira Service Management Cloud)
Impacted versions:
- Insight Discovery 1.0 – 3.1.3
- Assets Discovery 3.1.4 – 3.1.7
- Assets Discovery 3.1.8-cloud – 3.1.11-cloud
SAFE VERSIONS – INSTALL THESE ASAP
- Assets Discovery 3.2.0-cloud or later
Assets Discovery (Jira Service Management Data Center And Server)
Impacted versions:
- Insight Discovery 1.0 – 3.1.7
- Assets Discovery 3.1.9 – 3.1.11
- Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8
SAFE VERSIONS – INSTALL THESE ASAP
- Assets Discovery 6.2.0 or later
Atlassian Companion App for MacOS
Impacted versions:
- Anything below (but not including) 2.0.0
SAFE VERSIONS – INSTALL THESE ASAP
- 2.0.0 or later
Things to keep in mind as you Upgrade:
Marketplace Apps:
While upgrading Marketplace Apps is often considered a “low-risk” operation, you should still do your due diligence and upgrade first in a non-production environment, then schedule your upgrade for a change window so that – if something should go wrong – you have time to fix issues.
Core products:
LTS – or Long-Term Support versions provide a longer window before they are deemed end-of-life and, therefore, have bugs backported to them for two years after they are released. Bug fix upgrades also let you get away with a zero-downtime upgrade, meaning you don’t have to affect your downtime to perform them. That is why sticking to an LTS upgrade is often preferred until the next LTS is available. So, if you are not on an LTS Version currently, this might be a good excuse to hop onto one.
What do you think?
I, for one, hope Atlassian has no more Christmas surprises for us. As I said recently on The Jira Life – CVEs tend to come in waves, so while hopefully, these are the last ones of 2023, I wouldn’t be surprised if we have a new batch not too long into the new year.
In speaking of The Jira Life, I hope you will join us this week, as we will be talking with some of the Atlassians behind Atlassian University about all things Certification! Anyone who knows me knows this topic is near and dear to my heart. We will be live on YouTube on Thursday, Dec. 7, at 2 PM Pacific (5 PM Eastern).
Thank you to everyone who joined me last week at the various events! It was a challenging day, but it was SO rewarding! I’ll let you know if I have more live events, but I’m just sitting on pins and needles waiting for Atlassian to decide who will speak this year at Team ’24. I have submitted a few talks, a panel with five other Atlassian Creators, and a “The Jira Life” Panel, so I’m optimistic!
But until next time, my name is Rodney, asking, “Have you updated your Jira issues today?”
The Jira Guy 
If CVE’s affecting Atlassian products are snow, I am a **** Eskimo living in on a snowy mountain 😦
I am so sick of it, and now Atlassian feels the pain (and so do I) of headlessly including way to many (open source) frameworks and 3rd party software.
I am alway joking about Atlassian logfiles, they are so cluttered with 3rd party stacktraces and error, that if Your are a newbie, you are lost and for sure thinks that product is broken.. but now, its everyday business with those logs… flooded and more or less unparseable.
Almost even funnier and weird, Atlassian was not hit by log4shell, as they forked it early on.
But I do have several customers, that are planning to leavy the platform (and not for cloud) due to server product stopped, all those CVEs, and some has not forgotten the accidental deletion of Cloud instanses either.
All in all, Im not impressed…
LikeLike