Serious vulnerabilities in Atlassian products including Confluence, Jira and Bitbucket

This Alert is relevant to Australians who use Atlassian products including Confluence, Jira and Bitbucket.

Background / What has happened?

• Atlassian have released patches for security vulnerabilities in certain products including many versions of Confluence, Jira and Bitbucket.
• Three of these vulnerabilities are critical and of concern (CVE-2023-22522, CVE-2023-22523 and CVE-2022-1471)
• The Australian Signal Directorate’s Australian Cyber Security Centre (ASD’s ACSC) notes that previous critical vulnerabilities in Confluence and Jira have had significant exploitation by malicious cyber actors.
• Patch differential analysis, a technique frequently used by malicious cyber actors to reverse engineer patched vulnerabilities, will likely be performed against Atlassian’s patches. An exploitation campaign targeting these vulnerabilities is more likely than not.
• Operators should act now to secure their systems before an exploitation campaign begins.
• Atlassian Cloud operated sites are not affected.
• Another critical vulnerability also has been fixed in the MacOS Atlassian Companion Application (CVE-2023-22524). This vulnerability requires user interaction, but is still critical and operators are advised to patch.
• Additional Information can be found in the following vendor advisories:
  • https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html
  • https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
  • https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
  • https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html

Mitigation / How do I stay secure?

• If you operate Confluence, Jira or Bitbucket, particularly in internet facing configurations, review the vendor advisories to determine if you are affected
• If you are affected carefully apply all vendor recommended mitigations.
• Reassess whether your system needs to be internet facing and filter from the internet if possible.

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).