Critical Security Flaws in Atlassian and ISC BIND Products: Critical security vulnerabilities have been unveiled in software from Atlassian and the Internet Systems Consortium (ISC).
These flaws, disclosed by the organizations, have the potential to be exploited for denial-of-service (DoS) attacks and remote code execution.
Both Atlassian and ISC have promptly addressed these issues in recent software releases.
Key Takeaways Critical Security Flaws in Atlassian and ISC BIND Products:
Table of Contents
- Atlassian and ISC have revealed critical security flaws in their products that could lead to DoS and remote code execution.
- Atlassian has fixed four high-severity vulnerabilities, affecting products like Jira Service Management, Confluence, Bitbucket, and Apache Tomcat.
- ISC has released patches for two high-severity bugs in the BIND 9 DNS software suite, mitigating the risk of DoS incidents.
Addressing High-Severity Flaws in Atlassian Products
Four Critical Vulnerabilities Patched
Atlassian, the Australian software services provider, has identified and resolved four high-severity security flaws in its products. These vulnerabilities had the potential for exploitation in scenarios leading to denial-of-service (DoS) and remote code execution.
Importantly, Atlassian released new versions of its products last month, incorporating fixes for these issues.
Specific Vulnerabilities and Impact
The identified vulnerabilities include:
- CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw within the Google Gson package, affecting Patch Management in Jira Service Management Data Center and Server.
- CVE-2023-22512 (CVSS score: 7.5) – A DoS vulnerability found in Confluence Data Center and Server.
- CVE-2023-22513 (CVSS score: 8.5) – A remote code execution (RCE) vulnerability, detected in Bitbucket Data Center and Server.
- CVE-2023-28709 (CVSS score: 7.5) – Another DoS flaw, this time related to the Apache Tomcat server, impacting the Bamboo Data Center and Server.
Versions with Fixes
To mitigate these critical vulnerabilities, Atlassian released updated versions for the affected products. Users are strongly advised to update to the following versions or later:
- Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later)
- Confluence Server and Data Center (versions 7.19.13, 7.19.14, 8.5.1, 8.6.0, or later)
- Bitbucket Server and Data Center (versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or later)
- Bamboo Server and Data Center (versions 9.2.4, 9.3.1, or later)
Addressing High-Severity Flaws in ISC BIND Software
Two High-Severity Bugs Fixed
In a related development, the Internet Systems Consortium (ISC) has released critical bug fixes for the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite.
These vulnerabilities, assessed with high CVSS scores, could potentially lead to denial-of-service (DoS) conditions. The fixes are available in updated versions of BIND.
Specific Vulnerabilities and Impact
The two high-severity vulnerabilities include:
- CVE-2023-3341 (CVSS score: 7.5) – A stack exhaustion flaw within the control channel code, which could result in an unexpected termination of the named service. This issue has been addressed in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1.
- CVE-2023-4236 (CVSS score: 7.5) – This flaw may lead to the unexpected termination of the named service, particularly under high DNS-over-TLS query loads. Fixes are available in versions 9.18.19 and 9.18.19-S1.
Continued Vigilance Against DoS Vulnerabilities
These patches come after ISC previously addressed three other DoS-related flaws in the software (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911) three months ago, underlining the importance of ongoing vigilance in protecting against such vulnerabilities.
Conclusion
The swift response from both Atlassian and ISC in identifying and patching these high-severity security flaws underscores the significance of proactive cybersecurity measures. Users are strongly encouraged to apply the necessary updates to secure their systems against potential threats.
About Atlassian and ISC:
Atlassian is an Australian software services provider, known for its collaboration and productivity software. ISC, the Internet Systems Consortium, is an organization dedicated to the development and maintenance of open-source software related to the Internet’s infrastructure, including the BIND DNS software suite.
