Home > Security Bulletins > Atlassian Jira Privileged RCE and More Atlassian Vulnerabilities

Atlassian Jira Privileged RCE and More Atlassian Vulnerabilities

8th December 2023

Summary

On Tuesday Atlassian published a security bulletin for a critical severity vulnerability in the Assets Discovery agent for Jira Service Management Cloud, Jira Service Management Server, and Jira Service Management Data Center. CVE-2023-22523 (CVSS:3.0: 9.8) is a Remote Code Execution (RCE) Vulnerability which allows an attacker to perform privileged RCE if exploited. At this time, there are no reports of an active exploit. There is a high potential impact to confidentiality, integrity, and availability, as an attacker can obtain privileged access.

Affected Versions

This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 data center and server.

Jira Service Management Cloud, Assets Discovery:

  • Insight Discovery 1.0 – 3.1.3
  • Assets Discovery 3.1.4 – 3.1.7
  • Assets Discovery 3.1.8-cloud – 3.1.11-cloud

Jira Service Management Data Center and Server, Assets Discovery:

  • Insight Discovery 1.0 – 3.1.7
  • Assets Discovery 3.1.9 – 3.1.11
  • Assets Discovery 6.0.0 – 6.1.14, 6.1.14-jira-dc-8

Fixed Version

  • Jira Service Management Cloud: Assets Discovery 3.2.0-cloud or later
  • Jira Service Management Data Center and Server: Assets Discovery 6.2.0 or later

Recommendations

Due to the critical severity of this vulnerability, organisations are recommended take immediate action to protect their systems.

  1. Uninstall Assets Discovery agents
  2. Apply the Assets Discovery application patch
  3. Reinstall Assets Discovery agents

If you are unable to immediately uninstall the Assets Discovery agents, then Atlassian recommends to block the port used for communication with the agents, which is port 51337 by default, as a temporary mitigation.

More Vulnerabilities

CVE-2023-22522 (CVSS:3.0: 9.0 – Critical) – Confluence Data Center and Confluence Server – Template Injection vulnerability in Confluence pages

CVE-2023-22524 (CVSS:3.0: 9.6 – Critical) – Atlassian Companion App for MacOS – RCE Vulnerability by bypassing the Companion’s blocklist and MacOS Gatekeeper

CVE-2022-1471 (CVSS:3.0: 9.8 – Critical) – Multiple Products – SnakeYAML library RCE Vulnerability