セキュリティ情報 - 2024 年 1 月 16 日
January 2024 Security Bulletin
The vulnerabilities reported in this security bulletin include 28 high-severity vulnerabilities which have been fixed in new versions of our products, as detailed below. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third-party library scans.
NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.
To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.
| リリースされたセキュリティ脆弱性 | ||||||
|---|---|---|---|---|---|---|
| 要約 | 深刻度 | CVSS スコア | 影響を受けるバージョン | CVE ID | 詳細情報 | 公開日 |
| Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server | 高 | 7.5 | All versions including and after 9.4.0 | CVE-2022-42252 | JSWSERVER-25468 | 2024 年 1 月 16 日 |
| XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server | 高 | 7.5 | All versions including and after 8.20.0 | CVE-2020-25649 | JSWSERVER-25461 | 2024 年 1 月 16 日 |
| SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server | 高 | 7.1 | All versions including and after 4.20.0 | CVE-2022-44729 | JSDSERVER-14958 | 2024 年 1 月 16 日 |
| Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server | 高 | 7.5 | All versions including and after 3.4.6 | CVE-2021-40690 | CWD-6190 | 2024 年 1 月 16 日 |
| Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server | 高 | 7.5 | All versions including and after 3.4.6 | CVE-2023-46589 | CWD-6191 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server | 高 | 7.5 | All versions including and after 7.13.0 | CVE-2023-3635 | CONFSERVER-93623 | 2024 年 1 月 16 日 |
| RCE (Remote Code Execution) in Confluence Data Center and Server | 高 | 7.2 | All versions including and after 7.13.0 | CVE-2023-22526 | CONFSERVER-93516 | 2024 年 1 月 16 日 |
| RCE (Remote Code Execution) in Confluence Data Center and Server | 高 | 8.3 | All versions including and after 2.1 | CONFSERVER-94064 | 2024 年 1 月 16 日 | |
| RCE (Remote Code Execution) in Confluence Data Center and Server | 高 | 8.0 | All versions including and after 1.0.0 | CONFSERVER-94065 | 2024 年 1 月 16 日 | |
| RCE (Remote Code Execution) in Confluence Data Center and Server | 高 | 8.6 | All versions including and after 1.0.0 | CONFSERVER-94066 | 2024 年 1 月 16 日 | |
| DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-43642 | BSERV-19100 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-6481 | BSERV-19099 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-6378 | BSERV-19098 | 2024 年 1 月 16 日 |
| Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-46589 | BSERV-19097 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-34455 | BSERV-19096 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-34454 | BSERV-19095 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.21.0 | CVE-2023-34453 | BSERV-19094 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 8.9.0 | CVE-2023-36478 | BSERV-19044 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server | 高 | 7.5 | All versions including and after 7.17.0 | CVE-2023-5072 | BSERV-19037 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2023-36478 | BAM-25623 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2023-39410 | BAM-25622 | 2024 年 1 月 16 日 |
| RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server | 高 | 8.8 | All versions including and after 9.2.1 | CVE-2020-26217 | BAM-25614 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2017-7957 | BAM-25613 | 2024 年 1 月 16 日 |
| Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2022-4244 | BAM-25612 | 2024 年 1 月 16 日 |
| RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server | 高 | 8.8 | All versions including and after 9.1.0 | CVE-2018-10054 | BAM-25609 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.3 | CVE-2023-5072 | BAM-25607 | 2024 年 1 月 16 日 |
| Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2023-46589 | BAM-25606 | 2024 年 1 月 16 日 |
| DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server | 高 | 7.5 | All versions including and after 9.2.1 | CVE-2022-40152 | BAM-25640 | 2024 年 1 月 16 日 |
必要なアクション
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.
| 製品 | 推奨される修正 |
|---|---|
| Bitbucket Data Center | Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest |
| Bitbucket Server | Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4 |
| Bamboo Data Center and Server | Patch to a minimum fix version of 9.2.9, 9.3.6, 9.4.2 or latest |
| Jira Data Center および Server | Patch to a minimum fix version of 9.4.13, 9.7.0 or latest |
| Jira Service Management Data Center および Server | Patch to a minimum fix version of 4.20.30, 5.4.15, 5.12.2 or latest |
| Crowd Data Center and Server | Patch to a minimum fix version of 5.2.2 or latest |
| Confluence Data Center | Patch to a minimum fix version of 7.19.18, 8.5.5, 8.7.2 or latest |
| Confluence Server | Patch to a minimum fix version of 7.19.18, 8.5.5 |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.
最終更新日: 2024 年 1 月 26 日
Powered by Confluence and Scroll Viewport.