FAQ for CVE-2023-22523
General Information
This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.
This page contains answers to frequently asked questions about this vulnerability. The Atlassian Security Team will update this page whenever new information becomes available.
Am I impacted by this advisory?
All versions of the Asset Discovery app identified in the security advisory are affected by the vulnerability, and those customers using Agents should take immediate action to protect their instances.
What needs to be done: If you’re using Atlassian Discovery Agents, you must first uninstall all Agents. Once the Agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Assets Discovery Agents.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
If you can’t immediately uninstall the agents, please check the mitigation options from the security advisory.
If you use Assets Discovery without Agents, you are not affected by this vulnerability. However, we highly recommend updating Assets Discovery to completely mitigate the vulnerability if you decide to use Agents in the future.
Is this advisory also applicable to Cloud?
Yes, this vulnerability exists between the optional stand-alone Assets Discovery app and Agents, which is available for download to Jira Service Management customers regardless of Cloud or on-premise use.
I am a JSM Cloud user, do I have Assets Discovery installed?
Assets Discovery, which can be downloaded via Atlassian Marketplace, is an optional standalone network scanning tool that can be used with or without an Agent with Jira Service Management Cloud, Data Center, or Server. Hence, there is no indication within your instance to determine whether or not Assets Discovery is in use.
Reference: What is Assets Discovery? | Jira Service Management Cloud | Atlassian Support
Are other Atlassian products affected by CVE-2023-22523?
No. No other Atlassian products are affected by CVE-2023-22523. No action is required for other products.
Does patching to a fixed version completely solve the issue?
While the latest patch remediates the vulnerability (CVE-2023-22523), we are unable to confirm if there has been any malicious activity on your instance prior to applying the patch.
We recommend engaging with your local security team to investigate if your instance was compromised prior to patching.
I need help patching Assets Discovery
To proceed with patching, follow these steps:
Uninstall all Agents
Update Assets Discovery
Install the new version of Agent
Read more about upgrading Assets Discovery and Agents on Updating Discovery.
If you need further assistance with the upgrade, don't hesitate to contact our support team for help.
Is the Discovery Collector affected?
No, this vulnerability only affects Assets Discovery Agents. However, we highly recommend updating the Assets Discovery app to completely mitigate the vulnerability if you decide to use Agents in the future.
Should I still upgrade Assets Discovery even if I am not using Agents?
This vulnerability exists with Agents, so if you aren’t currently using Agents with your Assets Discovery app, you are not at risk. However, we highly recommend updating Assets Discovery to completely mitigate the vulnerability if you decide to use Agents in the future.
I am a Server Customer. How can I download the fixed version of Discovery?
In order to download the fixed version of Assets Discovery, click on the following link: Assets Discovery 3.2.0 , then upgrade the Assets Discovery Agents by following the instructions from: Updating Discovery and the Collector | Atlassian Support | Atlassian Documentation
Should I perform an upgrade of Assets Discovery instead of performing a clean install (uninstalling the older version and install the latest version)?
This vulnerability exists with Agents, so if you aren’t currently using Agents with Assets Discovery, you are not at risk. However, we highly recommend updating Assets Discovery by performing a clean install to completely mitigate the vulnerability if you decide to use Agents in the future.
If you are using Assets Discovery and/or Discovery Agents, they cannot be upgraded without a clean install. We strongly recommend uninstalling both (Assets Discovery Agents first, as this is the most effective way to protect your data and then Assets Discovery tool).
As a next step, please proceed with a clean installation.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
How should I upgrade my agent? / Can we simply install the new Discovery Agent version over the existing one? / Can I reuse the configuration file and/or pattern file?
We highly recommend updating Assets Discovery in addition to updating Agents. You must first completely uninstall an existing Agent before patching to a fixed version. Once the Agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Assets Discovery Agents.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
I have a large number of Discovery Agents on remote devices, how can I efficiently upgrade them?
Unfortunately, we currently do not offer the capability to remotely install or update any number of Agents. We strongly recommend uninstalling any Assets Discovery Agents as this is the most effective way to protect your data. However, if you cannot immediately uninstall the Agents, you should block the port used for communication with Agents (the default port is 51337). This temporary mitigation is not a replacement for manually uninstalling any existing Agents and performing a clean installation on all remote devices.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
What are the criteria for a successful Discovery Agent installation?
To determine if your reinstallation of an Agent was successful, you should verify whether the Assets Discovery Agent is running as a service and is up-to-date with the latest version.
To check the service:
Use the keyboard shortcut Win + R to open the Run window
Type "services.msc" and press Enter or click OK
Look for the Discovery Agent Service in the list
To confirm the Agent’s version:
In command line, navigate to the directory where Agent is installed (default: C:\Program Files\Atlassian\Discovery Agent)
Run
Discovery_Agent.exe -vConfirm version number
For more information, please refer to our Knowledge Base: How to find details of Assets Discovery Agent | Jira | Atlassian Documentation
I have the Discovery Agent installed but I don’t use Jira Service Management (JSM) anymore, am I still vulnerable?
Yes, even if you no longer utilize Jira Service Management (JSM) but still have any Assets Discovery Agents installed, these Agents remain vulnerable. We highly recommend you uninstall them immediately.
Are there any IOCs (Indicators of Compromise) for the exploit regarding CVE-2023-22523?
Instances running Assets Discovery Agents are susceptible to potential remote code execution (RCE) by threat actors. The possibility of multiple entry points, along with chained attacks, makes it difficult to list all possible indicators of compromise.
Due to the complex nature of the exploit as well as wide variety of possible post-exploit activities, Atlassian can only provide initial guidance/starting points for onsite/dedicated security teams.
Consider investigating:
External connections to the default port 51337 (or any customized port specified in the configuration)
Commands executed on the Agent machine outside of the following list: Executed commands | Atlassian Support | Atlassian Documentation
Unfamiliar patterns added to the patterns folder in the Discovery Agent root or modified default patterns
If you’re using Atlassian Discovery Agents, Atlassian strongly recommends that you uninstall all Agents immediately. Once the Agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Agents.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
If you use Assets Discovery without Agents, we still recommend updating the app to completely mitigate the vulnerability if you decide to use Agents in the future.
Where should I block the port to temporarily mitigate this vulnerability? At the machine level or the network level?
Atlassian strongly recommends that you uninstall all Agents immediately. Once the Agents are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Agents.
In addition to following the instructions to update your Agents, if you’ve made modifications to the pattern file, we recommend that you start fresh with the default pattern file, and apply any custom changes. You can reuse the configuration file.
Read more about upgrading Assets Discovery and Discovery Agents on Updating Discovery.
If you are using agents and cannot uninstall all agents immediately, as temporary alternative both machine and network-level port blocking can be effective, depending on your infrastructure and needs. However, this temporary mitigation is not a replacement for upgrading Asset Discovery and Agents to the latest fixed version.
Machine Level: This involves configuring firewall rules on the specific machine the Agent is installed and is usually preferred for a limited number of machines or specific machines. This also has the benefit in that it doesn't disrupt network traffic for other systems.
Network Level: This involves configuring firewall rules on routers or network firewalls, affecting all machines on the network and is usually preferred for managing multiple machines simultaneously with the caveat that this could disrupt other services using the same port.
How can we verify whether or not we are using Assets Discovery Agents in our System?
Assets Discovery Agents are used with the Assets Discovery network scanning tool to discover data from systems that are not always online, or collect data from Windows systems without opening the inbound WMI Port and the Dynamic DCOM Ports.
To identify any configured Assets Discovery Agents in your environment:
Open the Assets Discovery tool settings (using the command 'Discovery.exe -s')
Click on the Service tab
Note the IP addresses in the ‘Agent IP Range’ field
Afterwards you will need to navigate into each remote machine and run the following steps to check the service:
Use the keyboard shortcut Win + R to open the Run window
Type "services.msc" and press Enter or click OK
Look for the Discovery Agent Service in the list
Please note, that it is possible to have an Assets Discovery agent installed on a remote machine without having the remote machine’s IP address added in Assets Discovery. In order to make sure you detect all Agents, we recommend reviewing the whole network & ensure there are indeed no Agents installed.
If the Discovery Agent service is running on the host, then you should expect to see an entry returned via the 'netstat' command. The default listener port of the Discovery Agent is 51337, however, it could be different based on the configuration in the Assets Discovery configuration file (Discovery.cfg).
netstat -ab
[Discovery_Agent.exe] TCP 0.0.0.0:56348 EC2AMAZ-OGQ6O16:0 LISTENINGYou should also see Assets Discovery Agent in the installation directory, which by default is C:\Program Files (x86)\Atlassian\Discovery Agent
Please work with your security and infrastructure teams to help determine if this might be the case, and contact Atlassian Support should you have any additional questions.
Why are there so many security advisories lately?
Your security is our top priority, and we believe that acting proactively is the best approach to protecting your data. We found these vulnerabilities as part of an ongoing security review that we are conducting in addition to our continuous security assessments (more info - https://www.atlassian.com/trust/security/security-testing).
Please continue to follow the Critical Security Advisories for future updates, and if you have questions, please respond to this email or raise a support request via support.atlassian.com.
What if I don’t have a local security team?
We recommend engaging a specialist security firm for further investigation.
How does Atlassian decide who to send these emails to?
By default, the primary technical contact will always receive emails regarding security vulnerabilities as well as other technical and contract-related alerts (pricing changes, maintenance notifications, etc). Follow these instructions to update contact information:
How do I update the billing and technical contacts for my Atlassian products?
Other contacts can opt into these notifications by going to my.atlassian.com, clicking Email Preferences at the top, scrolling to Tech Alerts, and selecting the products they want notifications for.