Initiatives pour
    
    En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
      
     
                  Reference:
Advisory #2023-147
Version:
1.0
Affected software:
Multiple Atlassian product versions
Type:
Deserialization flaw, Template injection, Websockets vulnerability, Assets discovery
CVE/CVSS:
CVE-2022-1471 (9.8 CRITICAL - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2023-22522 (9.0 CRITICAL - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)CVE-2023-22524 (9.6 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)CVE-2023-22523 (9.8 CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Atlassian
On 06/12/2023, Atlassian published security advisories for critical vulnerabilities in multiple versions of its software products that can lead to remote code execution (RCE) when exploited by a malicious actor.
Compromise could have high impact on confidentiality, integrity and availability.
| Vulnerability | Affected products | 
| CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java. (Atlassian Cloud sites are not affected by this vulnerability according to Atlassian) | 
 | 
| CVE-2023-22522 is a Template Injection vulnerability. Allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. (Atlassian Cloud sites are not affected by this vulnerability according to Atlassian) 
 | 
 | 
| CVE-2023-22524 is a WebSockets vulnerability. Allows an attacker to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper. (Atlassian Confluence Data Center and Server or Cloud sites and the Atlassian Companion App for Windows are not impacted by this vulnerability) 
 | 
 | 
| CVE-2023-22523 is a vulnerability between the Assets Discovery application and Assets Discovery agent. 
 | 
 | 
All vulnerabilities listed in this advisory are critical ones and can lead to remote code execution (RCE) on vulnerable systems when exploited.
Patches exist for all vulnerabilities.
Except for CVE-2023-22524 - for which the patch should be installed automatically during runtime - administrators of affected systems are advised to patch to the latest versions.
In the case of CVE-2023-22523, an uninstall of the Assets Discovery agent is required and a subsequent re-install after applying a patch to the Assets Discovery application.
The Centre for Cyber Security Belgium strongly recommends checking if all installed Atlassian product versions are listed in the fixed version lists available on the Atlassian support site.
Administrators are urged to take immediate action and upgrade to the latest software version where needed.
NIST