Atlassian, a leading provider of team collaboration and productivity software, has released critical patches to address remote code execution (RCE) vulnerabilities in its Confluence and Bamboo products. In cases of successful exploitation, these vulnerabilities could allow authenticated attackers to manipulate system calls and execute arbitrary code, potentially leading to severe impacts on system integrity, confidentiality, and availability, reported The Hacker News.
According to the report, these vulnerabilities have been identified through the company’s bug bounty program, penetration testing procedures, and evaluations of third-party library scans. The most severe RCE vulnerability tracked down as CVE-2023-22508 with a CVSS score of 8.5 was detected in Confluence Data Center & Server version 7.4.0. Vulnerable versions span from 7.19.8 up to, but not including, 8.2.0. Versions 8.2.0 and beyond are immune to this specific exploit.
A second high-severity RCE issue detected as CVE-2023-22505 with a CVSS score of 8.0, was found in Data Center & Server version 8.0.0. Affected versions range from 8.0.0 up to, excepting 8.3.2 and 8.4.0. Versions 8.3.2 onwards and 8.4.0 and the following editions were not impacted.
Another flaw infecting Bamboo Data Center and Server is CVE-2023-22506. It’s a combination of an injection flaw with an RCE that can make the system security highly vulnerable. Tracked in version 8.0.0 of Bamboo Data Center, this flaw, with a CVSS score of 7.5, permits authenticated hackers to manipulate system call actions. Ultimately, it allows them to pose substantial risks to system uptime, privacy, and integrity. According to the report, the impacted versions range from 8.0.0 up to, but not incorporating, versions 9.2.3 and 9.3.1. Versions 9.2.3, 9.3.1, and subsequent releases are unaffected.
These high-severity vulnerabilities could be exploited by hackers without requiring any user interaction. The exploitation of these vulnerabilities could lead to unauthorised control of the compromised server, resulting in malware injection, data theft, and even massive operational disruptions.
In response to these critical security issues, Atlassian has promptly released patches for the vulnerabilities across its Confluence and Bamboo product lines. Users are strongly urged to update their software to the latest versions, or at least the swiftly released Confluence versions 8.3.2 and 8.4.0. Atlassian stack customers unable to upgrade to the recommended editions are advised to update at least to version 8.2.0, which addresses CVE-2023-22508. Atlassian also promptly released versions 9.2.3 and 9.3.1 of Bamboo Data Center, which can effectively address the CVE-2023-22506 issue. The report says that users need to quickly install the patches because these attacks can be executed without any user interaction.
Atlassian tools are aimed at enabling teams to power collaboration, thus improving their productivity. However, companies looking to completely leverage the benefits of the Atlassian stack might want to invest in a high-end managed service provider (MSP) like Automation Consultants. By collaborating with expert MSPs, teams can keep their Atlassian stack performing at their best while reducing the risk of operational disruptions and unplanned downtime.
The recently patched RCE flaws in Confluence and Bamboo products emphasise Atlassian’s commitment to protecting customer security. The report highlights the company’s statement: “While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.”
Sohela is an electrical engineer and a self-professed writer with a keen interest in all things tech. When she’s not writing killer content pieces, you’ll find her enjoying tempting foods in her favourite restaurants.