top of page

【Linktech 資安神隊友】Atlassian 攜手白客,共同發現並解決關鍵安全漏洞,提升 Atlassian 安全水平!

Updated: Jan 26

本月 Atlassian 公佈了多個關於 Atlassian 系列產品之相關漏洞,這些漏洞都是透過 Atlassian 的 Bug 賞金計劃和滲透測試流程以及第三方庫掃描發現的,這些漏洞的危害性都較低,但原廠基本還是建議保持環境版本最新狀態,避免不必要的意外發生。


相關的漏洞清單如下,如想了解細節可以點擊每個漏洞右方連結做確認。


Released Security Vulnerabilities
  • Public Date:Jan 16, 2024

CVE ID

Summary

Contents

More Details

Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.4.0

XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 8.20.0

SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server

  • Severity:High

  • CVSS Score:7.1

  • Affected Versions:All versions including and after 4.20.0

Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 3.4.6

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 3.4.6

DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.13.0

RCE (Remote Code Execution) in Confluence Data Center and Server

  • Severity:High

  • CVSS Score:7.2

  • Affected Versions:All versions including and after 7.13.0

RCE (Remote Code Execution) in Confluence Data Center and Server

  • Severity:High

  • CVSS Score:8.3

  • Affected Versions:All versions including and after 2.0

RCE (Remote Code Execution) in Confluence Data Center and Server

  • Severity:High

  • CVSS Score:8.0

  • Affected Versions:All versions including and after 1.0.0

RCE (Remote Code Execution) in Confluence Data Center and Server

  • Severity:High

  • CVSS Score:8.6

  • Affected Versions:All versions including and after 1.0.0

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.21.0

DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 8.9.0

DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 7.17.0

DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1

DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1

RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:8.8

  • Affected Versions:All versions including and after 9.2.1

DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1

Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1

RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:8.8

  • Affected Versions:All versions including and after 9.1.0

DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.3

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1

DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server

  • Severity:High

  • CVSS Score:7.5

  • Affected Versions:All versions including and after 9.2.1


Linktech 解決方案

Atlassian 地端系列產品基本上多多少少都有受到影響,如有使用列於下方的產品,建議貴司的環境儘速做升級動作,升級到下方指定版本:

Product

Fix Recommendation

Bitbucket Data Center

  • Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest

Bitbucket Server

  • Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4

Bamboo Data Center and Server

  • Patch to a minimum fix version of 9.2.9, 9.3.6, 9.4.2 or latest

Jira Data Center and Server

  • Patch to a minimum fix version of 9.4.13, 9.7.0 or latest

Jira Service Management Data Center and Server

  • Patch to a minimum fix version of 4.20.30, 5.4.15, 5.12.2 or latest


再次提醒如貴司當前環境為漏洞影響之範圍內,最終應該都請盡速做主程式的升級,如有需要任何協助確認或者升級工程,請儘速與 Linktech 團隊做聯繫。

 

Linktech 深耕 Atlassian 系列解決方案,同時涵蓋資訊安全檢驗的部分,若有發現 Atlassian 系列產品環境存在潛在危機的客戶,歡迎隨時與我們聯繫,同時在軟體升級的部分,我們也會再進行升級前進行全系統的盤點與掃描,確保升級後功能可以正常使用,且資料不會流失。

 

資訊安全對於 IT 團隊來說責任是重中之重, 然而每個 IT 團隊要維護的系統非常繁雜,有 ERP、CRM、Issue Tracking … 等,有時要管理的系統太多,反而頭尾不能兼顧,如果您也遇到這樣的情況,請放心將您的系統委由 Linktech 協助維護,我們將會是您系統維運最佳神隊友。


Comments


bottom of page