The Hacker NewsTHN:AD68BC1A9DDE81C0E66BA93D01C2ECFBHigh-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
70.7%
Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution.
The Australian software services provider said that the four high-severity flaws were fixed in new versions shipped last month. This includes -
- CVE-2022-25647 (CVSS score: 7.5) - A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
- CVE-2023-22512 (CVSS score: 7.5) - A DoS flaw in Confluence Data Center and Server
- CVE-2023-22513 (CVSS score: 8.5) - A RCE flaw in Bitbucket Data Center and Server
- CVE-2023-28709 (CVSS score: 7.5) - A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server
The flaws have been addressed in the following versions -
- Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later)
- Confluence Server and Data Center (versions 7.19.13, 7.19.14, 8.5.1, 8.6.0, or later)
- Bitbucket Server and Data Center (versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or later)
- Bamboo Server and Data Center (versions 9.2.4, 9.3.1, or later)
Two High-Severity Flaws in BIND Fixed
In a related development, ISC has released fixes for two high-severity bugs affecting the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could pave the way for a DoS condition -
- CVE-2023-3341 (CVSS score: 7.5) - A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (fixed in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1)
- CVE-2023-4236 (CVSS score: 7.5) - The named service may terminate unexpectedly under high DNS-over-TLS query load (fixed in versions 9.18.19 and 9.18.19-S1)
The latest patches arrive three months after ISC rolled out fixes for three other flaws in the software (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, CVSS scores: 7.5) that could result in a DoS condition.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
70.7%