===================================================================== CERT-Renater Note d'Information No. 2023/VULN422 _____________________________________________________________________ DATE : 20/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Confluence Server and Data Center versions prior to 8.3.3, 8.4.3, 8.5.2, Jira Service Management Data Center and Server versions prior to 4.20.27, 5.4.11, Bitbucket Data Center and Server versions prior to 7.21.16, 8.9.4, 8.10.4, 8.11.3,8.12.1, 8.13.1, Bamboo Data Center and Server versions prior to 9.2.5, 9.3.1, 9.3.3, Sourcetree for Windows versions prior to 3.4.15, Sourcetree for Mac versions prior to 4.2.5. ===================================================================== https://confluence.atlassian.com/security/security-bulletin-october-17-2023-1299929380.html _____________________________________________________________________ Security Bulletin - October 17 2023 The Atlassian Community is here for you. October 2023 Security Bulletin It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first-party, critical-severity vulnerabilities via critical advisories. The high-severity vulnerabilities included in this bulletin have a lower impact from the critical advisories we have published previously. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products. The vulnerabilities reported in this security bulletin include 2 critical and 26 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans. Questions about the bulletin? Read more about this new format here. Released Security Vulnerabilities Summary Severity CVSS Score Affected Versions CVE ID More Details Public Date Broken Access Control Vulnerability in Confluence Data Center and Server Critical 10.0 All versions of Confluence Data Center and Server including and after 8.0.0 CVE-2023-22515 View Advisory Oct 4, 2023 XXE (XML External Entity Injection) in Jira Service Management Data Center and Server Critical 9.8 All versions of Jira Service Management Data Center and Server including and after 4.20.0 CVE-2019-13990 View Advisory Oct 17, 2023 RCE (Remote Code Execution) in Sourcetree for Mac and Windows High 7.8 All Windows versions including and after 3.4.0 All Mac versions including and after 4.1.0 CVE-2023-22514 SRCTREE-8076 Oct 17, 2023 com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2022-3509 JSDSERVER-14755 Oct 17, 2023 com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2022-3171 JSDSERVER-14754 Oct 17, 2023 com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server High 5.5 All versions including and after 4.20.0 CVE-2021-22569 JSDSERVER-14753 Oct 17, 2023 FasterXML Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2022-42004 JSDSERVER-14752 Oct 17, 2023 FasterXML Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2022-42003 JSDSERVER-14751 Oct 17, 2023 jackson-databind Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2021-46877 JSDSERVER-14750 Oct 17, 2023 jackson-databind Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2020-36518 JSDSERVER-14749 Oct 17, 2023 Json-smart Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2021-31684 JSDSERVER-14748 Oct 17, 2023 Json-smart Vulnerability in Jira Service Management Data Center and Server High 7.5 All versions including and after 4.20.0 CVE-2023-1370 JSDSERVER-14746 Oct 17, 2023 Apache Kafka Connect API Vulnerability in Bitbucket Data Center and Server High 8.8 All versions including and after 7.21.0 CVE-2023-25194 BSERV-18834 Oct 17, 2023 FasterXML Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2022-42004 BSERV-18833 Oct 17, 2023 FasterXML Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2022-42003 BSERV-18832 Oct 17, 2023 jackson-databind Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2021-46877 BSERV-18831 Oct 17, 2023 jackson-databind Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2020-36518 BSERV-18830 Oct 17, 2023 com.google.code.gson Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2022-25647 BSERV-18793 Oct 17, 2023 Jettison Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2022-45685 BSERV-18790 Oct 17, 2023 hutool-json Vulnerability in Bitbucket Data Center and Server High 7.5 All versions including and after 7.17.0 CVE-2022-45688 BSERV-18789 Oct 17, 2023 Woodstox Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.1.0 CVE-2022-40152 BAM-25155 Oct 17, 2023 _____________________________________________________________________ FasterXML Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.1.0 CVE-2022-42004 BAM-25154 Oct 17, 2023 FasterXML Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.1.0 CVE-2022-42003 BAM-25153 Oct 17, 2023 jackson-databind Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.1.0 CVE-2021-46877 BAM-25152 Oct 17, 2023 jackson-databind Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.1.0 CVE-2020-36518 BAM-25151 Oct 17, 2023 org.apache.tomcat:tomcat-catalina Vulnerability in Bamboo Data Center and Server High 7.5 All versions including and after 9.2.2 CVE-2023-28709 BAM-22601 Oct 17, 2023 What you need to do To fix all the vulnerabilities in this bulletin, Atlassian recommends upgrading your instances to the latest version, if you're unable to do so, upgrade to the minimum fix version in the table below. Product Fix Recommendation Confluence Server and Data Center Upgrade to a minimum fix version of 8.3.3, 8.4.3, 8.5.2 or latest Jira Service Management Data Center and Server Upgrade to a minimum fix version of 4.20.27, 5.4.11 or latest Bitbucket Data Center and Server Upgrade to a minimum fix version of 7.21.16, 8.9.4, 8.10.4, 8.11.3,8.12.1, 8.13.1 or latest Bamboo Data Center and Server Upgrade to a minimum fix version of 9.2.5, 9.3.1, 9.3.3 or latest Sourcetree for Windows Upgrade to a minimum fix version of 3.4.15 or latest Sourcetree for Mac Upgrade to minimum fix version of 4.2.5 or latest To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal Last modified on Oct 20, 2023 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================