=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN536

_____________________________________________________________________

DATE                : 13/12/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Bamboo Data Center and Server,
                      Jira Service Management Data Center and Server,
                      Crowd Data Center and Server,
                      Confluence Data Center and Server,
                      Bitbucket Data Center and Server.

=====================================================================
https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html
_____________________________________________________________________


Security Bulletin - December 12 2023


December 2023 Security Bulletin

The December 2023 Security Bulletin is part of Atlassian’s new
monthly disclosure of non-critical vulnerabilities. Our goal is to
support our customers in taking timely action to protect their
instances with increased transparency and regular, proactive updates.
Vulnerabilities are identified through Atlassian's ongoing security
assessments, which include activities such as our Bug Bounty program,
pen-testing processes, and third-party library scans. Read more about
Atlassian's Security Bulletins here.

NOTE: The vulnerabilities included in monthly Security Bulletins
present a lower impact than those published via Critical Security
Advisories. Customers can expect to receive those high-priority
patches outside of our monthly schedule as necessary.

The vulnerabilities reported in this security bulletin include 7
high-severity vulnerabilities which have been fixed in new versions
of our products, released in the last month.

December 2023 Released Security Vulnerabilities

Summary   Severity    CVSS Score    Affected Versions    CVE ID
More Details     Public Date

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml
Vulnerability in Jira Service Management Data Center and Server
      High     7.5    All versions including and after 4.20.0
      CVE-2022-28366     JSDSERVER-14921     Dec 12, 2023

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml
Vulnerability in Jira Service Management Data Center and Server
      High     7.5    All versions including and after 4.20.0
      CVE-2022-29546    JSDSERVER-14873   Dec 12, 2023

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml
Vulnerability in Jira Service Management Data Center and Server
      High    7.5     All versions including and after 4.20.0
      CVE-2022-24839    JSDSERVER-14872    Dec 12, 2023

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote
Vulnerability in Crowd Data Center and Server
      High    7.5     All versions up to 5.0.7 From 5.1.x
to 5.1.5 And 5.2.0    CVE-2023-44487    CWD-6184   Dec 12, 2023

DoS (Denial of Service) net.minidev:json-smart Vulnerability
in Confluence Data Center and Server   High    7.5
All versions up to 7.19.16
  From 8.0.x to 8.3.3
  From 8.4.x to 8.4.5
  From 8.5.x to 8.5.4
  From 8.6.x to 8.6.2
  And 8.7.0
CVE-2021-31684    CONFSERVER-93361     Dec 12, 2023

DoS (Denial of Service) okio in Bitbucket Data Center and
Server    High    7.5
  From 7.17.x to 7.21.17
  From 8.7.x to 8.9.6
  From 8.10.x to 8.11.5
  From 8.12.x to 8.12.3
  From 8.13.x to 8.13.2
  From 8.14.x to 8.14.1
CVE-2023-3635     BSERV-19020     Dec 12, 2023

DoS (Denial of Service) json-java in Bamboo Data Center
and Server    High     7.5
 From 8.1.x to 9.2.6
 From 9.3.x to 9.3.4
CVE-2023-5072     BAM-25498     Dec 12, 2023


What you need to do

To fix all the vulnerabilities in this bulletin, Atlassian recommends
patching your instances to the latest version. If you're unable to do
so, patch to the minimum fix version in the table below.

Product                           Fix Recommendation

Bamboo Data Center and Server     Patch to a minimum fix version of
9.2.7, 9.3.5 or latest

Jira Service Management Data Center and Server    Patch to a minimum
fix version of 4.20.28, 5.4.12 or latest
(info) Upgrading Jira to a fixed version is also required.

Crowd Data Center and Server     Patch to a minimum fix version of
5.0.8, 5.1.6, 5.2.1 or latest

Confluence Data Center and Server     Patch to a minimum fix version
of 7.19.17, 8.3.4, 8.4.5, 8.5.4, 8.6.2, 8.7.1 or latest

Bitbucket Data Center and Server     Patch to a minimum fix version
of 7.21.18, 8.9.7, 8.11.6, 8.12.4, 8.13.3, 8.14.2 or latest


To search for CVEs or check your products versions for disclosed
vulnerabilities, check the Vulnerability Disclosure Portal.


Last modified on Dec 12, 2023

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================