本月 Atlassian 公佈了多個關於 Atlassian 系列產品之相關漏洞,這些漏洞都是透過 Atlassian 的 Bug 賞金計劃和滲透測試流程以及第三方庫掃描發現的,這些漏洞的危害性都較低,但原廠基本還是建議保持環境版本最新狀態,避免不必要的意外發生。
相關的漏洞清單如下,如想了解細節可以點擊每個漏洞右方連結做確認。
Released Security Vulnerabilities
Public Date:Jan 16, 2024
CVE ID | Summary | Contents | More Details |
Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server |
| ||
XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server |
| ||
SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server |
| ||
Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server |
| ||
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server |
| ||
DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server |
| ||
RCE (Remote Code Execution) in Confluence Data Center and Server |
| ||
RCE (Remote Code Execution) in Confluence Data Center and Server |
| ||
RCE (Remote Code Execution) in Confluence Data Center and Server |
| ||
RCE (Remote Code Execution) in Confluence Data Center and Server |
| ||
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server |
| ||
Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server |
| ||
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server |
| ||
DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server |
| ||
RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server |
| ||
DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server |
| ||
Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server |
| ||
RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server |
| ||
DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server |
| ||
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server |
| ||
DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server |
|
Linktech 解決方案
Atlassian 地端系列產品基本上多多少少都有受到影響,如有使用列於下方的產品,建議貴司的環境儘速做升級動作,升級到下方指定版本:
Product | Fix Recommendation |
Bitbucket Data Center |
|
Bitbucket Server |
|
Bamboo Data Center and Server |
|
Jira Data Center and Server |
|
Jira Service Management Data Center and Server |
|
再次提醒如貴司當前環境為漏洞影響之範圍內,最終應該都請盡速做主程式的升級,如有需要任何協助確認或者升級工程,請儘速與 Linktech 團隊做聯繫。
Linktech 深耕 Atlassian 系列解決方案,同時涵蓋資訊安全檢驗的部分,若有發現 Atlassian 系列產品環境存在潛在危機的客戶,歡迎隨時與我們聯繫,同時在軟體升級的部分,我們也會再進行升級前進行全系統的盤點與掃描,確保升級後功能可以正常使用,且資料不會流失。
資訊安全對於 IT 團隊來說責任是重中之重, 然而每個 IT 團隊要維護的系統非常繁雜,有 ERP、CRM、Issue Tracking … 等,有時要管理的系統太多,反而頭尾不能兼顧,如果您也遇到這樣的情況,請放心將您的系統委由 Linktech 協助維護,我們將會是您系統維運最佳神隊友。