Atlassian Family January 2024 Security Update Advisory

Feb 15 2024

Overview

An update has been made available to address a vulnerability in the Atlassian Confluence product. users of affected versions are encouraged to update to the latest version.

Affected products

CVE-2022-42252

Jira Software Data Center and Server versions 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11

CVE-2020-25649

Jira Software Data Center and Server 8.20.0, 9.4.0, 9.5.0, 9.4.1, 9.6.0, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11, 9.4.12 versions

CVE-2022-44729

Jira Service Management Data Center and Server 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0 versions

CVE-2021-40690

Crowd Data Center and all versions below Server 5.2.2

CVE-2023-46589

Crowd Data Center and Server versions 3.4.6, 5.2.0, 5.1.6, 5.2.1, 5.2.2, 5.1.7, and 5.0.9

CVE-2023-3635

Confluence Data Center and Server 7.13.0, 7.19.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0 versions

CVE-2023-22526

Confluence Data Center and Server 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 7.19.12, 7.19.14, 7.19.15, 7.19.16 versions

CVE-2024-21672, CVE-2024-21673, CVE-2024-21674

Confluence Data Center and Server versions 7.13.0, 7.19.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1

CVE-2023-43642, CVE-2023-46589

Bitbucket Data Center and Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.9.3, 7.21.14, 7.21.15, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.16.0, 7.21.18, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 7.21.19, 8.9.8, 8.12.5, 8.13.4, 8.14.3, 8.15.2, 8.16.1, 8.14.0-EAP01, 7.21.20

CVE-2023-6481, CVE-2023-6378

Bitbucket Data Center and Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.9.0, 8.9.1, 8.9.2, 8.11.0, 8.12.0, 8.9.3, 7.21.14, 7.21.15, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.16.0, 7.21.18, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 8.9.8, 8.12.5, 8.13.4, 8.14.3, 8.15.2, 8.16.1, 8.14.0-EAP01 version

CVE-2023-34455, CVE-2023-34454, CVE-2023-34453

Bitbucket Data Center and Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.7.0, 8.8.0, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.10.1, 8.10.2, 8.11.0, 8.11.1, 8.12.0, 8.9.3, 8.10.3, 8.11.2, 7.21.14, 7.21.15, 8.9.4, 8.10.4, 8.11.3, 8.12.1, 8.13.0, 7.21.16, 7.21.17, 7.21.18

CVE-2023-36478

Bitbucket Data Center and Server 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.9.3, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 8.15.0, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.14.1, 8.16.0, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 8.14.0-EAP01 versions

CVE-2023-5072

Bitbucket Data Center and Server 7.17.0, 7.21.15, 8.9.4, 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.11.4, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.11.5, 8.12.3, 8.13.2, 8.14.1, 7.21.18

CVE-2023-36478, CVE-2023-39410

Bamboo Data Center and Server 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 Versions

CVE-2020-26217, CVE-2017-7957, CVE-2022-4244

Bamboo Data Center and Server 9.2.1, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 versions

CVE-2018-10054

Bamboo Data Center and Server 9.1.0, 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 versions

CVE-2023-5072

Bamboo Data Center and Server 9.3.0, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.4.1 versions

CVE-2023-46589

Bamboo Data Center and Server 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 versions

CVE-2022-40152

Bamboo Data Center and Server 9.2.1, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.0, 9.2.2, 9.2.7, 9.2.8 versions

Resolved Vulnerabilities

Request Smuggling vulnerability in Jira Software Data Center and Server org.apache.tomcat:tomcat-coyote (CVE-2022-42252)

XXE Vulnerability in Jira Software Data Center and Server jackson-databind (CVE-2020-25649)

SSRF Vulnerability in Jira Service Management Data Center and Server org.apache.xmlgraphics:batik-bridge (CVE-2022-44729)

Information Disclosure Vulnerability in Crowd Data Center and Server org.apache.santuario:xmlsec (CVE-2021-40690)

Improper Input Validation Vulnerability in Crowd Data Center and Server org.apache.tomcat:tomcat-catalina (CVE-2023-46589)

DoS vulnerability in Confluence Data Center and Server com.squareup.okio:okio-jvm(CVE-2023-3635)

RCE vulnerabilities in Confluence Data Center and Server (CVE-2023-22526, CVE-2024-21672, CVE-2024-21673, CVE-2024-21674)

DoS Vulnerability in Bitbucket Data Center and Server org.xerial.snappy:snappy-java (CVE-2023-43642)

DoS Vulnerability in Bitbucket Data Center and Server ch.qos.logback:logback-core (CVE-2023-6481, CVE-2023-6378)

Request Smuggling Vulnerability in Bitbucket Data Center and Server org.apache.tomcat.embed:tomcat-embed-core (CVE-2023-46589)

DoS Vulnerability in Bitbucket Data Center and Server org.xerial.snappy:snappy-java (CVE-2023-34455, CVE-2023-34454, CVE-2023-34453)

DoS Vulnerability in Bitbucket Data Center and Server org.eclipse.jetty:jetty-http(CVE-2023-36478)

DoS Vulnerability in Bitbucket Data Center and Server org.json:json(CVE-2023-5072)

DoS Vulnerability in Bamboo Data Center and Server org.eclipse.jetty:jetty-http (CVE-2023-36478)

DoS Vulnerability in Bamboo Data Center and Server org.apache.avro:avro (CVE-2023-39410)

RCE Vulnerability in Bamboo Data Center and Server org.jvnet.hudson:xstream (CVE-2020-26217)

DoS Vulnerability in Bamboo Data Center and Server org.jvnet.hudson:xstream (CVE-2017-7957)

Information Disclosure Vulnerability in Bamboo Data Center and Server org.codehaus.plexus:plexus-utils (CVE-2022-4244)

RCE Vulnerability in Bamboo Data Center and Server com.h2database:h2 (CVE-2018-10054)

DoS Vulnerability in Bamboo Data Center and Server org.json:json (CVE-2023-5072)

Request Smuggling Vulnerability in Bamboo Data Center and Server org.apache.tomcat:tomcat-catalina (CVE-2023-46589)

DoS Vulnerability in Bamboo Data Center and Server com.fasterxml.woodstox:woodstox-core(CVE-2022-40152)

Culnerability Patches

vulnerability patches were made available in the January 16, 2024 update. please follow the instructions on the reference site to update to the latest vulnerability patch version.

CVE-2022-42252

Jira Software Data Center and Server version 9.4.12

CVE-2020-25649

Jira Software Data Center and Server 9.7.0, 9.4.13 versions

CVE-2022-44729

Jira Service Management Data Center and Server versions 4.20.30, 5.4.15, and 5.12.2

CVE-2021-40690

Crowd Data Center and Server version 5.2.2

CVE-2023-46589

Crowd Data Center and Server versions 5.2.3, 5.1.8, and 5.0.10

CVE-2023-3635

Confluence Data Center and Server versions 8.5.4, 7.19.17, 8.6.2, 8.4.5, and 8.7.1

CVE-2023-22526

Confluence Data Center and Server versions 7.19.17, 8.8.0, 8.7.2, 8.5.5

CVE-2024-21672, CVE-2024-21673, CVE-2024-21674

Confluence Data Center and Server versions 8.7.2, 7.19.18, and 8.5.5

Cve-2023-43642, CVE-2023-46589

Bitbucket Data Center and Server versions 8.17.0, 8.16.2, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 7.21.21

Cve-2023-6481, CVE-2023-6378

Bitbucket Data Center and Server versions 7.21.19, 8.17.0, 8.16.2, 8.9.9, 8.13.5, 8.14.4, 8.15.3

CVE-2023-34455, CVE-2023-34454, CVE-2023-34453

Bitbucket Data Center and Server 8.14.0, 8.13.1, 8.9.5, 7.21.21 versions

CVE-2023-36478

Bitbucket Data Center and Server versions 8.9.8, 8.13.4, 8.14.3, 8.15.2, 8.17.0, 8.16.1

CVE-2023-5072

Bitbucket Data Center and Server versions 8.16.0, 8.9.7, 8.13.3, 8.14.2, 8.15.1, 7.21.19

CVE-2023-36478, CVE-2023-39410

Bamboo Data Center and Server 9.4.2, 9.2.8, 9.3.6 versions

CVE-2020-26217, CVE-2017-7957, CVE-2022-4244

Bamboo Data Center and Server version 9.2.8

CVE-2018-10054, CVE-2023-46589

Bamboo Data Center and Server versions 9.4.2, 9.2.8, and 9.3.6

CVE-2023-5072

Bamboo Data Center and Server versions 9.2.7, 9.3.5, and 9.4.2

CVE-2022-40152

Bamboo Data Center and Server version 9.2.9

Reference Sites

[1] Security Bulletin – January 16 2024
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
[2] Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server
https://jira.atlassian.com/browse/JSWSERVER-25468
[3] XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server
https://jira.atlassian.com/browse/JSWSERVER-25461
[4] SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server
https://jira.atlassian.com/browse/JSDSERVER-14958
[5] Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
https://jira.atlassian.com/browse/CWD-6190
[6] Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
https://jira.atlassian.com/browse/CWD-6191
[7] DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-93623
[8] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-93516
[9] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94064
[10] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94065
[11] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94066
[12] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19100
[13] DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19099
[14] DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19098
[15] Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19097
[16] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19096
[17] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19095
[18] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19094
[19] DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19044
[20] DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19037
[21] DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25623
[22] DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25622
[23] RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25614
[24] DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25613
[25] Woodstox Vulnerability in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25640
[26] Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25606
[27] DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25607
[28] RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25609
[29] Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25612

Atlassian Family January 2024 Security Update Advisory

Overview

Affected products

Resolved Vulnerabilities

Culnerability Patches

Reference Sites

MS Family February 2024 Routine Security Update Advisory

IBM family of products (IBM Cloud Object System, IBM Cloud Pak System, etc.) security update advisory

Overview

Affected products

Resolved Vulnerabilities

Culnerability Patches

Reference Sites

Tags:

MS Family February 2024 Routine Security Update Advisory

IBM family of products (IBM Cloud Object System, IBM Cloud Pak System, etc.) security update advisory