====================================================================== CERT-Renater Note d'Information No. 2024/VULN271 _____________________________________________________________________ DATE : 31/05/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Confluence Data Center versions prior to 8.9.1, 8.5.9 LTS, 7.19.22 LTS, Confluence Server versions prior to 8.5.9 LTS, 7.19.22 LTS. ===================================================================== https://jira.atlassian.com/browse/CONFSERVER-95832 https://jira.atlassian.com/browse/CONFSERVER-95834 https://jira.atlassian.com/browse/CONFSERVER-95839 _____________________________________________________________________ RCE (Remote Code Execution) in Confluence Data Center and Server Published Details Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.9.1, 8.5.9, 7.19.22 Affects Version/s: 5.2, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0 Component/s: None Labels: fixed-versions-published CVSS Score: 8.3 CVSS Severity: High CVE ID: CVE-2024-21683 Vulnerability Source: Atlassian (Internal) Vulnerability Classes: RCE (Remote Code Execution) Affected Product(s): Confluence Data Center Description This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.3, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions 8.9.0 8.9.1 from 8.8.0 to 8.8.1 8.9.1 from 8.7.0 to 8.7.2 8.9.1 from 8.6.0 to 8.6.2 8.9.1 from 8.5.0 to 8.5.8 LTS 8.9.1 or 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.9.1 or 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.9.1 or 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.9.1 or 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.9.1 or 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.9.1 or 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.9.1 or 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS Server Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions from 8.5.0 to 8.5.8 LTS 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.5.9 LTS recommended or 7.19.22 LTS See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was found internally. _____________________________________________________________________ DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and Server Published Details Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.9.1, 8.5.9, 7.19.22 Affects Version/s: 2.6.0, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0 Component/s: None Labels: fixed-versions-published CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2024-24549 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center Description This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 2.6.0 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions 8.9.0 8.9.1 from 8.8.0 to 8.8.1 8.9.1 from 8.7.0 to 8.7.2 8.9.1 from 8.6.0 to 8.6.2 8.9.1 from 8.5.0 to 8.5.8 LTS 8.9.1 or 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.9.1 or 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.9.1 or 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.9.1 or 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.9.1 or 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.9.1 or 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.9.1 or 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS Server Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions from 8.5.0 to 8.5.8 LTS 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.5.9 LTS recommended or 7.19.22 LTS See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was found internally. _____________________________________________________________________ Improper Authorization com.hazelcast:hazelcast Dependency in Confluence Data Center and Server Published Details Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.9.0, 8.5.9, 7.19.22 Affects Version/s: 5.5, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1 Component/s: None Labels: fixed-versions-published CVSS Score: 7.6 CVSS Severity: High CVE ID: CVE-2023-45859 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Vulnerability Classes: Improper Authorization Affected Product(s): Confluence Data Center Description This High severity com.hazelcast:hazelcast Dependency vulnerability was introduced in versions 5.5 of Confluence Data Center and Server. This com.hazelcast:hazelcast Dependency vulnerability, with a CVSS Score of 7.6 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions 8.9.0 8.9.0 from 8.8.0 to 8.8.1 8.9.0 from 8.7.0 to 8.7.2 8.9.0 from 8.6.0 to 8.6.2 8.9.0 from 8.5.0 to 8.5.8 LTS 8.9.0 or 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.9.0 or 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.9.0 or 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.9.0 or 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.9.0 or 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.9.0 or 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.9.0 or 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.9.0 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.9.0 or 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.9.0 or 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.9.0 or 8.5.9 LTS recommended or 7.19.22 LTS Server Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Affected versions Fixed versions from 8.5.0 to 8.5.8 LTS 8.5.9 LTS recommended from 8.4.0 to 8.4.5 8.5.9 LTS recommended from 8.3.0 to 8.3.4 8.5.9 LTS recommended from 8.2.0 to 8.2.3 8.5.9 LTS recommended from 8.1.0 to 8.1.4 8.5.9 LTS recommended from 8.0.0 to 8.0.4 8.5.9 LTS recommended from 7.20.0 to 7.20.3 8.5.9 LTS recommended from 7.19.0 to 7.19.21 LTS 8.5.9 LTS recommended or 7.19.22 LTS from 7.18.0 to 7.18.3 8.5.9 LTS recommended or 7.19.22 LTS from 7.17.0 to 7.17.5 8.5.9 LTS recommended or 7.19.22 LTS Any earlier versions 8.5.9 LTS recommended or 7.19.22 LTS See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was found internally. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================