Skip links

Patch now: Critical VMware, Atlassian flaws found

VMware and Atlassian today disclosed critical vulnerabilities and, while neither appear to have been exploited by miscreants yet, admins should patch now to avoid disappointment.

First off, a pair of issues from Atlassian. Most serious is CVE-2023-22527, a template injection flaw that can allow unauthenticated remote code execution (RCE) attacks. It scored a perfect CVSS rating of 10 out of 10 and affects Confluence Data Center and Server 8 versions released before December 5, 2023 and 8.4.5, which no longer receives fixes. 

The solution: “immediately” patch each affected installation by updating to the latest available version, according to the vendor.

Atlassian also released fixes for a high-severity flaw was found in the FasterXML Jackson Databind code used in versions 8.20.0, 9.4.0, 9.5.0, and 9.6.0 of Jira Software Data Center and Server. The 7.5-rated bug, tracked as CVE-2020-25649, could allow XML external entity (XXE) attacks in which miscreants could mess with data integrity. 

So in addition to updating Confluence, it’s also a good idea to upgrade to the latest version of Jira Software Data Center and Server, the collaboration biz advises.

Moving on to the critical VMware bug, CVE-2023-34063. This one is a missing access control problem in all versions of Aria Automation earlier of 8.16. Be aware that this infrastructure automation product may be included in VMware Cloud Foundation.

The bug earned a 9.9 CVSS rating, and VMware warns that successful exploitation can allow unauthorized access to remote organizations and workflows. Luckily this one also has a fix, so upgrade to VMware Aria Automation 8.16, and then apply the patch.

As the virtualization giant notes: “The only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”

VMware isn’t aware of any reports of exploitation “as of now.” But it’s safe to assume that would-be attackers are already scanning for vulnerable installations, so make sure to apply the fix before the software vendor is forced to update its advisory. ®