Security Bulletin - December 12 2023
December 2023 Security Bulletin
The December 2023 Security Bulletin is part of Atlassian’s new monthly disclosure of non-critical vulnerabilities. Our goal is to support our customers in taking timely action to protect their instances with increased transparency and regular, proactive updates. Vulnerabilities are identified through Atlassian's ongoing security assessments, which include activities such as our Bug Bounty program, pen-testing processes, and third-party library scans. Read more about Atlassian's Security Bulletins here.
NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.
You can continue to count on receiving Monthly Security Bulletins on the third Tuesday of the month, except for December which we’ll publish on the second Tuesday. We’ve made the adjustment to accommodate the holiday season.
The vulnerabilities reported in this security bulletin include 7 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month.
December 2023 Released Security Vulnerabilities | ||||||
|---|---|---|---|---|---|---|
要約 | 深刻度 | CVSS スコア | 影響を受けるバージョン | CVE ID | 詳細情報 | 公開日 |
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | 高 | 7.5 | All versions including and after 4.20.0 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | 高 | 7.5 | All versions including and after 4.20.0 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | 高 | 7.5 | All versions including and after 4.20.0 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Vulnerability in Crowd Data Center and Server | 高 | 7.5 | All versions up to 5.0.7 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) net.minidev:json-smart Vulnerability in Confluence Data Center and Server | 高 | 7.5 | All versions up to 7.19.16 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) okio in Bitbucket Data Center and Server | 高 | 7.5 | From 7.17.x to 7.21.17 | 2023 年 12 月 12 日 | ||
DoS (Denial of Service) json-java in Bamboo Data Center and Server | 高 | 7.5 | From 8.1.x to 9.2.6 | 2023 年 12 月 12 日 | ||
必要なアクション
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.
製品 | 推奨される修正 |
|---|---|
Bamboo Data Center and Server | Patch to a minimum fix version of 9.2.7, 9.3.5 or latest |
Jira Service Management Data Center および Server | Patch to a minimum fix version of 4.20.28, 5.4.12 or latest
|
Crowd Data Center and Server | Patch to a minimum fix version of 5.0.8, 5.1.6, 5.2.1 or latest |
Confluence Data Center および Server | Patch to a minimum fix version of 7.19.17, 8.3.4, 8.4.5, 8.5.4, 8.6.2, 8.7.1 or latest |
Bitbucket Data Center および Server | Patch to a minimum fix version of 7.21.18, 8.9.7, 8.11.6, 8.12.4, 8.13.3, 8.14.2 or latest |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.