High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

7 months ago AndyC

Sep 22, 2023THNServer Security / Vulnerability

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution.

High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Sep 22, 2023THNServer Security / Vulnerability

High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution.

The Australian software services provider said that the four high-severity flaws were fixed in new versions shipped last month. This includes –

  • CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
  • CVE-2023-22512 (CVSS score: 7.5) – A DoS flaw in Confluence Data Center and Server
  • CVE-2023-22513 (CVSS score: 8.5) – A RCE flaw in Bitbucket Data Center and Server
  • CVE-2023-28709 (CVSS score: 7.5) – A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server

The flaws have been addressed in the following versions –

  • Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later)
  • Confluence Server and Data Center (versions 7.19.13, 7.19.14, 8.5.1, 8.6.0, or later)
  • Bitbucket Server and Data Center (versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or later)
  • Bamboo Server and Data Center (versions 9.2.4, 9.3.1, or later)

Two High-Severity Flaws in BIND Fixed

In a related development, ISC has released fixes for two high-severity bugs affecting the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could pave the way for a DoS condition –

  • CVE-2023-3341 (CVSS score: 7.5) – A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (fixed in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1)
  • CVE-2023-4236 (CVSS score: 7.5) – The named service may terminate unexpectedly under high DNS-over-TLS query load (fixed in versions 9.18.19 and 9.18.19-S1)

The latest patches arrive three months after ISC rolled out fixes for three other flaws in the software (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, CVSS scores: 7.5) that could result in a DoS condition.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

6 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

1 day ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

2 days ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

2 days ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

2 days ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

2 days ago AndyC

You may have missed

US Homeland Security names AI safety, security advisory board

US Homeland Security names AI safety, security advisory board

3 hours ago AndyC
Apple renews talks with OpenAI

Apple renews talks with OpenAI

3 hours ago AndyC
<div>Norths Collective sets 2024 as its " title="
Norths Collective sets 2024 as its "year of AI"
" decoding="async" />

Norths Collective sets 2024 as its “year of AI”

3 hours ago AndyC
Leading infrastructure to accelerate electric power intelligence

Leading infrastructure to accelerate electric power intelligence

3 hours ago AndyC
AustralianSuper hunts for new CISO

AustralianSuper hunts for new CISO

6 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.