개요
Atlassian Confluence 제품에서 발생하는 취약점을 해결하는 업데이트가 제공되었습니다. 해당하는 버전 사용자는 최신 버전으로 업데이트하시기 바랍니다.
대상 제품
CVE-2022-42252
- Jira Software Data Center and Server 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11 버전
CVE-2020-25649
- Jira Software Data Center 및 Server 8.20.0, 9.4.0, 9.5.0, 9.4.1, 9.6.0, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.4.8, 9.4.9, 9.4.10, 9.4.11, 9.4.12 버전
CVE-2022-44729
- Jira Service Management Data Center 및 Server 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0 버전
CVE-2021-40690
- Crowd Data Center 및 Server 5.2.2 미만의 모든 버전
CVE-2023-46589
- Crowd Data Center 및 Server 3.4.6, 5.2.0, 5.1.6, 5.2.1, 5.2.2, 5.1.7, 5.0.9 버전
CVE-2023-3635
- Confluence Data Center 및 Server 7.13.0, 7.19.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0 버전
CVE-2023-22526
- Confluence Data Center 및 Server 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 7.19.12, 7.19.14, 7.19.15, 7.19.16 버전
CVE-2024-21672, CVE-2024-21673, CVE-2024-21674
- Confluence Data Center 및 Server 7.13.0, 7.19.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1 버전
CVE-2023-43642, CVE-2023-46589
- Bitbucket Data Center 및 Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.9.3, 7.21.14, 7.21.15, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.16.0, 7.21.18, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 7.21.19, 8.9.8, 8.12.5, 8.13.4, 8.14.3, 8.15.2, 8.16.1, 8.14.0-eap01, 7.21.20 버전
CVE-2023-6481, CVE-2023-6378
- Bitbucket Data Center 및 Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.9.0, 8.9.1, 8.9.2, 8.11.0, 8.12.0, 8.9.3, 7.21.14, 7.21.15, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.16.0, 7.21.18, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 8.9.8, 8.12.5, 8.13.4, 8.14.3, 8.15.2, 8.16.1, 8.14.0-eap01 버전
CVE-2023-34455, CVE-2023-34454, CVE-2023-34453
- Bitbucket Data Center 및 Server 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.21.8, 7.21.9, 7.21.10, 7.21.11, 7.21.12, 7.21.13, 8.7.0, 8.8.0, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.10.1, 8.10.2, 8.11.0, 8.11.1, 8.12.0, 8.9.3, 8.10.3, 8.11.2, 7.21.14, 7.21.15, 8.9.4, 8.10.4, 8.11.3, 8.12.1, 8.13.0, 7.21.16, 7.21.17, 7.21.18 버전
CVE-2023-36478
- Bitbucket Data Center 및 Server 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.9.3, 8.9.4, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.12.2, 8.15.0, 8.9.6, 8.12.3, 8.13.2, 8.14.1, 8.16.0, 8.9.7, 8.12.4, 8.13.3, 8.14.2, 8.15.1, 8.14.0-eap01 버전
CVE-2023-5072
- Bitbucket Data Center 및 Server 7.17.0, 7.21.15, 8.9.4, 8.10.4, 8.11.3, 8.12.1, 8.13.0, 8.14.0, 8.13.1, 8.9.5, 8.11.4, 8.12.2, 7.21.16, 8.15.0, 7.21.17, 8.9.6, 8.11.5, 8.12.3, 8.13.2, 8.14.1, 7.21.18 버전
CVE-2023-36478, CVE-2023-39410
- Bamboo Data Center 및 Server 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 버전
CVE-2020-26217, CVE-2017-7957, CVE-2022-4244
- Bamboo Data Center 및 Server 9.2.1, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 버전
CVE-2018-10054
- Bamboo Data Center 및 Server 9.1.0, 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 버전
CVE-2023-5072
- Bamboo Data Center 및 Server 9.3.0, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.4.1 버전
CVE-2023-46589
- Bamboo Data Center 및 Server 9.3.0, 9.2.1, 9.2.3, 9.4.0, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.3.4, 9.2.6, 9.2.7, 9.3.5, 9.4.1 버전
CVE-2022-40152
- Bamboo Data Center 및 Server 9.2.1, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.0, 9.2.2, 9.2.7, 9.2.8 버전
해결된 취약점
Jira Software Data Center 및 Server org.apache.tomcat:tomcat-coyote에서 발생하는 Request Smuggling 취약점 (CVE-2022-42252)
Jira Software Data Center 및 Server jackson-databind에서 발생하는 XXE 취약점 (CVE-2020-25649)
Jira Service Management Data Center 및 Server org.apache.xmlgraphics:batik-bridge에서 발생하는 SSRF 취약점 (CVE-2022-44729)
Crowd Data Center 및 Server org.apache.santuario:xmlsec에서 발생하는 정보 공개 취약점 (CVE-2021-40690)
Crowd Data Center 및 Server org.apache.tomcat:tomcat-catalina에서 발생하는 부적절한 입력 유효성 검사 취약점 (CVE-2023-46589)
Confluence Data Center 및 Server com.squareup.okio:okio-jvm에서 발생하는 DoS 취약점 (CVE-2023-3635)
Confluence Data Center 및 Server에서 발생하는 RCE 취약점 (CVE-2023-22526, CVE-2024-21672, CVE-2024-21673, CVE-2024-21674)
Bitbucket Data Center 및 Server org.xerial.snappy:snappy-java에서 발생하는 DoS 취약점 (CVE-2023-43642)
Bitbucket Data Center 및 Server ch.qos.logback:logback-core에서 발생하는 DoS 취약점 (CVE-2023-6481, CVE-2023-6378)
Bitbucket Data Center 및 Server org.apache.tomcat.embed:tomcat-embed-core에서 발생하는 Request Smuggling 취약점 (CVE-2023-46589)
Bitbucket Data Center 및 Server org.xerial.snappy:snappy-java에서 발생하는 DoS 취약점 (CVE-2023-34455, CVE-2023-34454, CVE-2023-34453)
Bitbucket Data Center 및 Server org.eclipse.jetty:jetty-http에서 발생하는 DoS 취약점 (CVE-2023-36478)
Bitbucket Data Center 및 Server org.json:json에서 발생하는 DoS 취약점 (CVE-2023-5072)
Bamboo Data Center 및 Server org.eclipse.jetty:jetty-http에서 발생하는 DoS 취약점 (CVE-2023-36478)
Bamboo Data Center 및 Server org.apache.avro:avro에서 발생하는 DoS 취약점 (CVE-2023-39410)
Bamboo Data Center 및 Server org.jvnet.hudson:xstream에서 발생하는 RCE 취약점 (CVE-2020-26217)
Bamboo Data Center 및 Server org.jvnet.hudson:xstream에서 발생하는 DoS 취약점 (CVE-2017-7957)
Bamboo Data Center 및 Server org.codehaus.plexus:plexus-utils에서 발생하는 정보 공개 취약점 (CVE-2022-4244)
Bamboo Data Center 및 Server com.h2database:h2에서 발생하는 RCE 취약점 (CVE-2018-10054)
Bamboo Data Center 및 Server org.json:json에서 발생하는 DoS 취약점 (CVE-2023-5072)
Bamboo Data Center 및 Server org.apache.tomcat:tomcat-catalina에서 발생하는 Request Smuggling 취약점 (CVE-2023-46589)
Bamboo Data Center 및 Server org.apache.tomcat:tomcat-catalina에서 발생하는 Request Smuggling 취약점 (CVE-2023-46589)
Bamboo Data Center 및 Server com.fasterxml.woodstox:woodstox-core에서 발생하는 DoS 취약점 (CVE-2022-40152)
취약점 패치
2024년 1월 16일 업데이트를 통해 취약점 패치가 제공되었습니다. 참고 사이트의 안내에 따라 최신 취약점 패치 버전으로 업데이트 하시기 바랍니다.
CVE-2022-42252
- Jira Software Data Center 및 Server 9.4.12 버전
CVE-2020-25649
- Jira Software Data Center 및 Server 9.7.0, 9.4.13 버전
CVE-2022-44729
- Jira Service Management Data Center 및 Server 4.20.30, 5.4.15, 5.12.2 버전
CVE-2021-40690
- Crowd Data Center 및 Server 5.2.2 버전
CVE-2023-46589
- Crowd Data Center 및 Server 5.2.3, 5.1.8, 5.0.10 버전
CVE-2023-3635
- Confluence Data Center 및 Server 8.5.4, 7.19.17, 8.6.2, 8.4.5, 8.7.1 버전
CVE-2023-22526
- Confluence Data Center 및 Server 7.19.17, 8.8.0, 8.7.2, 8.5.5 버전
CVE-2024-21672, CVE-2024-21673, CVE-2024-21674
- Confluence Data Center 및 Server 8.7.2, 7.19.18, 8.5.5 버전
CVE-2023-43642, CVE-2023-46589
- Bitbucket Data Center 및 Server 8.17.0, 8.16.2, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 7.21.21 버전
CVE-2023-6481, CVE-2023-6378
- Bitbucket Data Center 및 Server 7.21.19, 8.17.0, 8.16.2, 8.9.9, 8.13.5, 8.14.4, 8.15.3 버전
CVE-2023-34455, CVE-2023-34454, CVE-2023-34453
- Bitbucket Data Center 및 Server 8.14.0, 8.13.1, 8.9.5, 7.21.21 버전
CVE-2023-36478
- Bitbucket Data Center 및 Server 8.9.8, 8.13.4, 8.14.3, 8.15.2, 8.17.0, 8.16.1 버전
CVE-2023-5072
- Bitbucket Data Center 및 Server 8.16.0, 8.9.7, 8.13.3, 8.14.2, 8.15.1, 7.21.19 버전
CVE-2023-36478, CVE-2023-39410
- Bamboo Data Center 및 Server 9.4.2, 9.2.8, 9.3.6 버전
CVE-2020-26217, CVE-2017-7957, CVE-2022-4244
- Bamboo Data Center 및 Server 9.2.8 버전
CVE-2018-10054, CVE-2023-46589
- Bamboo Data Center 및 Server 9.4.2, 9.2.8, 9.3.6 버전
CVE-2023-5072
- Bamboo Data Center 및 Server 9.2.7, 9.3.5, 9.4.2 버전
CVE-2022-40152
- Bamboo Data Center 및 Server 9.2.9 버전
참고 사이트
[1] Security Bulletin – January 16 2024
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
[2] Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server
https://jira.atlassian.com/browse/JSWSERVER-25468
[3] XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server
https://jira.atlassian.com/browse/JSWSERVER-25461
[4] SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server
https://jira.atlassian.com/browse/JSDSERVER-14958
[5] Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
https://jira.atlassian.com/browse/CWD-6190
[6] Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
https://jira.atlassian.com/browse/CWD-6191
[7] DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-93623
[8] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-93516
[9] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94064
[10] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94065
[11] RCE (Remote Code Execution) in Confluence Data Center and Server
https://jira.atlassian.com/browse/CONFSERVER-94066
[12] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19100
[13] DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19099
[14] DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19098
[15] Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19097
[16] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19096
[17] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19095
[18] DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19094
[19] DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19044
[20] DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
https://jira.atlassian.com/browse/BSERV-19037
[21] DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25623
[22] DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25622
[23] RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25614
[24] DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25613
[25] Woodstox Vulnerability in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25640
[26] Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25606
[27] DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25607
[28] RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25609
[29] Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server
https://jira.atlassian.com/browse/BAM-25612