Atlassian security advisory reveals four fresh critical flaws – in mail with dead links

Atlassian has emailed its customers to warn of four critical vulnerabilities, but the message had flaws of its own – the links it contained weren't live for all readers at the time of despatch.

The email, seen by The Register, warns of flaws rated 9.0 or higher on the Common Vulnerability Scoring System (CVSS) scale and offers a link to an advisory.

But that link was to a page that did not describe the relevant flaws, instead detailing CVE-2023-22518, the 9.1-rated stinker revealed in late October and later upgraded to a perfect 10/10. Nor did links to the four CVEs the email mentions reach the correct page for around an hour – all produced a Page Not Found error and a suggestion that the page may have been renamed with another URL that does carry the correct information.

Atlassian told us "There was a small error where emails went out to some customers with broken links. As soon as we realized we put a workaround in place so customers were redirected to the appropriate pages. We apologize to our customers for any frustration caused with our mistake."

The URLs all include URLdefense.com – a service offered by Proofpoint. Maybe it was Proofpoint's problem.

While the links were dead, Atlassian did manage to publish info about the four fresh problems here.

The four flaws all allow remote code execution and impact the products listed below:

• CVE‑2022‑1471 – 9.8/10 – Automation for Jira app (including Server Lite edition), Bitbucket Data Center, Bitbucket Server, Confluence Data Center, Confluence Server, Confluence Cloud Migration App, Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server, Jira Software Data Center, Jira Software Server
• CVE‑2023‑22522 – 9.0/10 – Confluence Data Center and Server
• CVE‑2023‑22524 – 9.6/10 – Atlassian Companion App for MacOS, Jira Service Management Cloud, Data Center and Server
• CVE‑2023‑22523 – 9.8/10 – Assets Discovery app for Assets Discovery for Jira Service Management Cloud, Jira Service Management Server and Jira Service Management Data Center

The fix for all the flaws is the same: upgrade the product to a fixed version.

• Atlassian cranks up the threat meter to max for Confluence authorization flaw
• US cybercops urge admins to patch amid ongoing Confluence chaos
• How does Atlassian hope to actually improve Confluence and Jira? AI, of course!
• Atlassian predicts its on-prem products will grow faster than cloud

Atlassian's emailed advisory urges "you must take immediate action to protect your instance." The Register imagines that was a hard instruction to follow, given the dud links the email contained for some customers.

Atlassian's stated company values include "Don't #@!% the customer" and "Open company, no bullshit." ®