Atlassian has released urgent patches for several of its products to fix remote code execution and denial-of-service vulnerabilities. Flaws in Atlassian products have been exploited by hackers before, including shortly after a patch was released or even before a fix was available.
In October, Atlassian released an emergency fix for a broken access control issue (CVE-2023-22515) affecting on-premises versions of Confluence Server and Confluence Data that allowed unauthenticated attackers to create administrator accounts. The vulnerability was already being exploited in the wild as a zero-day when the company released the patch.
In early November, attackers started exploiting another critical improper authorization vulnerability (CVE-2023-22518) in Confluence Data Center and Server only a few days after the patch was released. Older Confluence flaws that were exploited as zero-days or n-days by multiple groups of attackers include CVE-2022-26134, CVE-2021-26084, and CVE-2019-3396. Customers are therefore urged to apply the newly released December patches as soon as possible.
Confluence template injection and deserialization flaws
One of the critical vulnerabilities patched last week allows anonymous authenticated attackers to inject unsafe code into pages on affected instances of Confluence Data Center and Confluence Server. Atlassian catalogs this flaw (CVE-2023-22522) as a template injection issue and warns that it can lead to remote code execution on the server.
The flaw affects all versions of Confluence Data Center and Server starting with 4.0.0 as well as standalone versions of Confluence Data Center 8.6.0 and 8.6.1. Many of the affected versions have reached end-of-life and are no longer supported. The company advises users of Confluence Server to upgrade to version 7.19.17 (LTS), 8.4.5 or 8.5.4 (LTS) and Confluence Data Center users to upgrade to version 8.6.2 or 8.7.1. The vulnerability has no other mitigations, but Atlassian advises customers to back up their instance and remove it from the internet if they can’t patch immediately.
Another critical vulnerability patched last week stems from a Java deserialization issue inherited from a third-party parsing library called SnakeYAML. This vulnerability is tracked as CVE-2022-1471 and was patched in SnakeYAML a year ago. Since then, three other flaws, two high severity and one critical, have been reported in SnakeYAML.