Atlassian and the Internet Systems Consortium (ISC) have revealed multiple security vulnerabilities affecting their products, potentially leading to denial-of-service (DoS) attacks and remote code execution.
The Australian software services provider has addressed four high-severity flaws in recent updates. These include:
- CVE-2022-25647 (CVSS score: 7.5) – A deserialization vulnerability in the Google Gson package affecting Patch Management in Jira Service Management Data Center and Server.
- CVE-2023-22512 (CVSS score: 7.5) – A DoS vulnerability in Confluence Data Center and Server.
- CVE-2023-22513 (CVSS score: 8.5) – A remote code execution vulnerability in Bitbucket Data Center and Server.
- CVE-2023-28709 (CVSS score: 7.5) – A DoS vulnerability in Apache Tomcat server affecting Bamboo Data Center and Server.
These vulnerabilities have been addressed in the following versions:
- Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later).
- Confluence Server and Data Center (versions 7.19.13, 7.19.14, 8.5.1, 8.6.0, or later).
- Bitbucket Server and Data Center (versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or later).
- Bamboo Server and Data Center (versions 9.2.4, 9.3.1, or later).
In a related update, ISC has released fixes for two high-severity vulnerabilities affecting the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, potentially leading to DoS conditions:
- CVE-2023-3341 (CVSS score: 7.5) – A stack exhaustion vulnerability in control channel code that may cause named to terminate unexpectedly (fixed in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1).
- CVE-2023-4236 (CVSS score: 7.5) – The named service may terminate unexpectedly under high DNS-over-TLS query load (fixed in versions 9.18.19 and 9.18.19-S1).
These patches come after ISC previously addressed three other vulnerabilities (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, CVSS scores: 7.5) that could result in a DoS condition, three months prior.