The Internet Systems Consortium (ISC) and Atlassian have recently announced the discovery of multiple security vulnerabilities in their respective products. These flaws have the potential to be exploited for denial-of-service (DoS) attacks and remote code execution. However, the companies have taken prompt action and have released patches to address these vulnerabilities.
Atlassian has fixed four high-severity flaws in their products, which were included in the latest versions released last month. The specific vulnerabilities and the impacted products are as follows:
· CVE-2022-25647 (CVSS score: 7.5): This is a deserialization flaw in the Google Gson package, affecting Patch Management in Jira Service Management Data Center and Server.
· CVE-2023-22512 (CVSS score: 7.5): This flaw is related to a DoS vulnerability in Confluence Data Center and Server.
· CVE-2023-22513 (CVSS score: 8.5): This vulnerability involves a remote code execution flaw in Bitbucket Data Center and Server.
· CVE-2023-28709 (CVSS score: 7.5): This flaw is associated with a DoS vulnerability in the Apache Tomcat server, impacting Bamboo Data Center and Server.
To mitigate these vulnerabilities, users are advised to update their installations to the following versions:
· Jira Service Management Server and Data Center: Versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0 or later versions.
· Bitbucket Server and Data Center: Versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0 or later versions.
· Confluence Server and Data Center: Versions 7.19.13, 7.19.14, 8.5.1, 8.6.0 or later versions.
· Bamboo Server and Data Center: Versions 9.2.4, 9.3.1 or later versions.
In a related development, ISC has also addressed two high-severity vulnerabilities in their Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite. These vulnerabilities could potentially lead to a DoS condition. The specific vulnerabilities and their corresponding fixes are as follows:
· CVE-2023-3341 (CVSS score: 7.5): This flaw involves a stack exhaustion issue in the control channel code, which may cause the named service to terminate unexpectedly. It has been resolved in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1.
· CVE-2023-4236 (CVSS score: 7.5): This vulnerability may cause the named service to terminate unexpectedly under high DNS-over-TLS query load. It has been addressed in versions 9.18.19 and 9.18.19-S1.
CyberSec84 | Cybersecurity news. 
Leave a comment