{"id":4728,"date":"2024-01-08T15:54:49","date_gmt":"2024-01-08T15:54:49","guid":{"rendered":"https:\/\/gitprotect.io\/blog\/?p=4728"},"modified":"2024-08-08T12:19:04","modified_gmt":"2024-08-08T12:19:04","slug":"atlassian-security-incidents-2023-in-review","status":"publish","type":"post","link":"https:\/\/gitprotect.io\/blog\/atlassian-security-incidents-2023-in-review\/","title":{"rendered":"Atlassian security incidents: 2023 in Review"},"content":{"rendered":"\n

Welcome back to our second article in the series of DevOps-related incidents and failures. If you missed our previous review, don\u2019t hesitate and catch up with it: Infamous GitHub-related incidents and threats: 2023 in Review<\/a>.<\/p>\n\n\n\n\n\n\n\n

This time our focus moves to Atlassian-related incidents and \u201cfackups\u201d. As you may remember the year 2022 was rather rich for outages, security flaws, and vulnerabilities detected in Jira and Bitbucket<\/a>. However, what about 2023? Was it the same hard?<\/p>\n\n\n\n

Well, we don\u2019t want you to wait any longer, so let\u2019s get absorbed into the topic\u2026<\/p>\n\n\n\n

DECEMBER 2023<\/strong><\/p>\n\n\n\n

Atlassian Status info for Bitbucket:<\/strong><\/td>Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery<\/strong><\/td>Atlassian Status info for Confluence:<\/strong><\/td><\/tr>
3 incidents<\/td>6 incidents<\/td>4 incidents<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Atlassian addresses four critical flaws in its software to prevent remote code execution<\/h2>\n\n\n\n

After detecting four critical flaws<\/a>, which if successfully exploited, permitted threat actors to execute the code remotely, Atlassian had to take quick security measures and patch the vulnerabilities. All of the flaws got a CVSS score of 9 or higher and targeted different Atlassian tools. <\/p>\n\n\n\n

Thus, CVE-2023-22522, a template injection vulnerability found in the Confluence Data Center and Confluence Server, enabled code execution on the Confluence page by an authorized attacker, including the one with anonymous access. <\/p>\n\n\n\n

The second patched security flaw, aka CVE-2023-22523 with a CVSS score of 9.8, targeted Assets Discovery for Jira Service Management Cloud, Server, and Data Center. Hence, on machines running the Assets Discovery agent, the vulnerability permitted an attacker to carry out privileged remote code execution. The same result, the malicious actors could achieve with CVE-2023-22524, the CVSS score of which was 9.6. In this case, the hacker could execute the code by using WebSockets to bypass Atlassian Companion\u2019s blocklist and macOS Gatekeeper protections. <\/p>\n\n\n

\n
\"\"<\/a><\/figure><\/div>\n\n\n

The fourth was a deserialization vulnerability that the service provider had to address, the CVE-2022-1471 flaw in SnakeYAML library. It could lead to remote code execution in multiple Atlassian products and therefore, the CVSS score of the security flaw was as high as 9.8.<\/p>\n\n\n\n

The Hacker News<\/a><\/p>\n\n\n\n

NOVEMBER 2023<\/strong><\/p>\n\n\n\n

Atlassian Status info for Bitbucket:<\/strong><\/td>Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery<\/strong><\/td>Atlassian Status info for Confluence:<\/strong><\/td><\/tr>
4 incidents<\/td>8 incidents<\/td>6 incidents<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

OCTOBER 2023<\/strong><\/p>\n\n\n\n

Atlassian Status info for Bitbucket:<\/strong><\/td>Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery<\/strong><\/td>Atlassian Status info for Confluence:<\/strong><\/td><\/tr>
3 incidents<\/td>8 incidents<\/td>5 incidents<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Atlassian Releases security advisory for Confluence data center and server<\/h2>\n\n\n\n

On October 4th, Atlassian released an advisory and urged its Confluence users to upgrade their solution to the latest fixed version as soon as possible, isolating vulnerable Confluence apps from the public Internet. All those measures were to address a vulnerability flaw that was assessed by the service provider to have the highest severity level of 10. By exploiting CVE-2023-22515 an external attacker could create unauthorized Confluence accounts and, consequently, access Confluence instances. <\/p>\n\n\n\n

Moreover, in its advisory Atlassian <\/a>later updated: \u201cWe have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate.<\/em>\u201d According to Microsoft, in its notice on X<\/a>, the company informed that the vuln had already been exploited by cybercriminals for a little less than a month – since 14th September 2023. The company called the hackers exploiting the issue Storm-0062, yet they noted that other companies track those threat actors as DarkShadow or OroOIxy. <\/p>\n\n\n\n

\n

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.<\/p>— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023<\/a><\/blockquote>