Atlassian Bug needs Patch ASAP!

Written By Peter Vogel

Darkreading.com reported that “Rated at a CVSS score of 10, the bug is as bad as it gets, allowing remote cyberattackers unfettered access to corporate environments… A max-critical unauthenticated remote code execution (RCE) vulnerability is impacting Atlassian Confluence Data Center and Confluence Server, in all versions released before Dec. 5. Unpatched organizations should prepare to defend against everything from ransomware campaigns to cyber-espionage attempts.”  The January 16, 2024 entitled “Patch ASAP: Max-Critical Atlassian Bug Allows Unauthenticated RCE” (https://www.darkreading.com/application-security/patch-max-critical-atlassian-bug-unauthenticated-rce) included these comments:

 The bug (CVE-2023-22527), which carries a 10 out of 10 vulnerability-severity rating on the CVSS v3 scale, is a template injection vulnerability that paves the way for unauthenticated attackers to achieve RCE on versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.

Any organization that has upgraded to Confluence versions released in the company's December update are in the clear, though the bug was disclosed just today, along with several less-severe vulnerabilities that are newly patched in a fresh security bulletin.

Atlassian noted that end-of-life instances (version 8.4.5 and before) are also affected and will not receive patches.

What do you think?

Peter Vogel
Previous

Antitrust Regulators may learn Microsoft’s ties with OpenAI.
Next

Anyone surprised the Senate is Outraged over the SEC X Account Hack based on lack of MFA?