Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug
Summary:
Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could leave user environments susceptible to exploitation which could have a massive impact on confidentiality, integrity, and availability without needing any user interaction. This bug is being tracked as CVE-2024-1597, which has a CVSS severity score of 10.0, indicating that it is a critical org.postgresql:postgresql Dependency vulnerability. However, CVE-2024-1597 is unexploitable and has been assessed by Atlassian as a lower risk than the CVSS score reveals. This vulnerability is unexploitable because the conditions to exploit it do not coincide with the default settings in the PostgreSQL JDBC Driver. Attackers are only able to perform SQL Injection if customers are using the PreferQueryMode setting, “SIMPLE”. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query, bypassing the protections that parameterized queries bring against SQL Injection attacks. SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw.
Analyst Comments:
Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings. Only the Bamboo Data Center and Server product is affected. Another vulnerability CVE-2024-21634, with a high severity score, was released by Atlassian, in the same bulletin, for Bamboo Data Center and Server. This DoS vulnerability could allow an attacker to craft Ion data that causes a “StackOverflowError” when run. As a workaround, do not load data originating from an untrusted source or that could have been tampered with. Users are secure from vulnerability CVE-2024-1597 if they are utilizing the default query mode, making this an Insider Threat scenario. By overriding this default, users put their instances at risk of high-impact exploitation via SQL Injection.
Suggested Corrections:
Atlassian advises that Bamboo Data Center and Server customers upgrade their software instance to the latest version, 9.6.0.
Affected Versions include:
9.5.0 to 9.5.1
9.4.0 to 9.4.3
9.3.0 to 9.3.6
9.2.0 to 9.2.11
9.1.0 to 9.1.3
9.0.0 to 9.0.4
8.2.0 to 8.2.9
Any version earlier than 8.2.0
Atlassian’s March 2024 Security Bulletin can be found here:
https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html
Link(s):
https://thehackernews.com/2024/03/atlassian-releases-fixes-for-over-2.html