CVE-2023-22523 - RCE Vulnerability in Assets Discovery
Summary | CVE-2023-22523 - RCE (Remote Code Execution) Vulnerability in Assets Discovery |
Advisory Release Date | Tues, Dec 5 2023 21:00 PST |
Products | Assets Discovery for
|
CVE ID | |
Related Jira Ticket(s) |
Summary of Vulnerability
This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. See “What You Need To Do” for detailed instructions.
Assets Discovery, which can be downloaded via Atlassian Marketplace, is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.
Read more about Assets Discovery agents here: https://support.atlassian.com/jira-service-management-cloud/docs/what-are-asset-discovery-agents/ https://support.atlassian.com/jira-service-management-cloud/docs/install-asset-discovery-agents/
Severity
Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 data center and server. Atlassian recommends patching to the latest version.
Product | Component | Affected Versions |
|---|---|---|
Jira Service Management Cloud | Assets Discovery |
|
Jira Service Management Data Center and Server | Assets Discovery |
|
Fixed Versions
There is no need to upgrade Jira Service Management product, only the Assets Discovery application and agents.
Product | Component | Fixed Versions |
|---|---|---|
Jira Service Management Cloud | Assets Discovery |
|
Jira Service Management Data Center and Server | Assets Discovery |
|
What You Need To Do
Uninstall Assets Discovery agents
Apply the Assets Discovery application patch
Reinstall Assets Discovery agents
Uninstalling the Assets Discovery agents is the most effective way to mitigate risk. Once the agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Assets Discovery agents.
NOTE: Customers who do not currently use agents but may wish to in the future, must also apply the latest fixed version of the Assets Discovery application before installing agents.
What if I can’t immediately uninstall the agents?
We strongly recommend uninstalling the Assets Discovery agents as it is the most effective way to protect your data, and customers will need to follow all of the instructions above before using Assets Discovery agents again.
However, if you cannot immediately uninstall the Assets Discovery agents, customers may block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents. Please see the FAQ for additional information.
Frequently Asked Questions
More details can be found on the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ .
References
As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |