Remote code execution vulns hit Atlassian kit

Patch this! And this! And this! And this!

Software development software house Atlassian has patched critical vulnerabilities found in all versions of its Confluence, Bamboo, FishEye, and Crucible products.

The company sent an email to its customers alerting them of the flaw that affected versions of Confluenceup to 5.6.5, Bambooup to 5.7, and FishEye and Crucible up to 3.6.1.

Confluence is an enterprise Wiki, Bamboo runs software builds and commits, FishEye centralises multiple code repositories and Crucible offers a code peer review platform.

The bug affecting all platforms was an Object-Graph Navigation Language double evaluation vulnerability described in an advisory as of critical severity.

"Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework," the company said of each affected platform, noting attackers would need access to the respective web interface.

The vulnerabilities discovered in-house affected Atlassian's fork of WebWork, and its fork of an ApacheStruts library in Bamboo.

Customers should apply their own severity ratings to the bugs and could download patches from the respective advisories. A Perl script written by University of Technology Sydney programmer Stuart Ryan (@StuartCRyan)and released last year could help manage the Atlassian upgrades.

The fixes covered the last 12 months' worth of software version releases. ®

Biting the hand that feeds IT © 1998–2021