CVE-2023-22523 - RCE Vulnerability in Assets Discovery
要約 | CVE-2023-22523 - RCE (Remote Code Execution) Vulnerability in Assets Discovery |
勧告のリリース日 | 2023 年 12 月 5 日 (火) 21:00 PST |
製品 | Assets Discovery for
|
CVE ID | |
関連する Jira チケット |
脆弱性の概要
This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. See “What You Need To Do” for detailed instructions.
Assets Discovery, which can be downloaded via Atlassian Marketplace, is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.
Read more about Assets Discovery agents here: https://support.atlassian.com/ja/jira-service-management-cloud/docs/what-are-asset-discovery-agents/ https://support.atlassian.com/ja/jira-service-management-cloud/docs/install-asset-discovery-agents/
深刻度
Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
影響を受けるバージョン
This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 data center and server. Atlassian recommends patching to the latest version.
製品 | コンポーネント | 影響を受けるバージョン |
|---|---|---|
Jira Service Management Cloud | Assets Discovery |
|
Jira Service Management Data Center および Server | Assets Discovery |
|
修正済みバージョン
There is no need to upgrade Jira Service Management product, only the Assets Discovery application and agents.
製品 | コンポーネント | 修正済みバージョン |
|---|---|---|
Jira Service Management Cloud | Assets Discovery |
|
Jira Service Management Data Center および Server | Assets Discovery |
|
必要なアクション
Uninstall Assets Discovery agents
Apply the Assets Discovery application patch
Reinstall Assets Discovery agents
Uninstalling the Assets Discovery agents is the most effective way to mitigate risk. Once the agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Assets Discovery agents.
NOTE: Customers who do not currently use agents but may wish to in the future, must also apply the latest fixed version of the Assets Discovery application before installing agents.
What if I can’t immediately uninstall the agents?
We strongly recommend uninstalling the Assets Discovery agents as it is the most effective way to protect your data, and customers will need to follow all of the instructions above before using Assets Discovery agents again.
However, if you cannot immediately uninstall the Assets Discovery agents, customers may block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents. Please see the FAQ for additional information.
よくある質問
詳細については、よくある質問 (FAQ) ページをご確認ください。
サポート
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ja/ .
参考
弊社の新しいポリシーに従い、重要なセキュリティ バグの修正はバックポートされます。バイナリーパッチではなく、ポリシーの対象となるバージョンの新しいメンテナンス リリースをリリースします。バイナリー パッチのリリースは終了しています。 | |
アトラシアンのセキュリティ勧告には深刻度レベルと CVE ID が含まれます。深刻度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細は FIRST.org でご確認ください。 | |
サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 |