Serious vulnerabilities in Atlassian products including Confluence, Jira and Bitbucket

This Alert is relevant to Australians who use Atlassian products including Confluence, Jira and Bitbucket.

Background / What has happened?

Atlassian have released patches for security vulnerabilities in certain products including many versions of Confluence, Jira and Bitbucket.

Three of these vulnerabilities are critical and of concern (CVE-2023-22522, CVE-2023-22523 and CVE-2022-1471)

The Australian Signal Directorate’s Australian Cyber Security Centre (ASD’s ACSC) notes that previous critical vulnerabilities in Confluence and Jira have had significant exploitation by malicious cyber actors.

Patch differential analysis, a technique frequently used by malicious cyber actors to reverse engineer patched vulnerabilities, will likely be performed against Atlassian’s patches. An exploitation campaign targeting these vulnerabilities is more likely than not.

Operators should act now to secure their systems before an exploitation campaign begins.

Atlassian Cloud operated sites are not affected.

Another critical vulnerability also has been fixed in the MacOS Atlassian Companion Application (CVE-2023-22524). This vulnerability requires user interaction, but is still critical and operators are advised to patch.

Additional Information can be found in the following vendor advisories:

Mitigation / How do I stay secure?

  • If you operate Confluence, Jira or Bitbucket, particularly in internet facing configurations, review the vendor advisories to determine if you are affected
  • If you are affected carefully apply all vendor recommended mitigations.
  • Reassess whether your system needs to be internet facing and filter from the internet if possible.