CVE-2023-22523 - RCE Vulnerability in Assets Discovery

Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Summary

CVE-2023-22523 - RCE (Remote Code Execution) Vulnerability in Assets Discovery

Advisory Release Date

Tues, Dec 5 2023 21:00 PST

Products

Assets Discovery for 

  • Jira Service Management Cloud

  • Jira Service Management Server

  • Jira Service Management Data Center

CVE ID

CVE-2023-22523

Related Jira Ticket(s)

Summary of Vulnerability

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. See “What You Need To Do” for detailed instructions.

Assets Discovery, which can be downloaded via Atlassian Marketplace, is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

Severity

Atlassian rates the severity level of this vulnerability as critical (9.8 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 data center and server. Atlassian recommends patching to the latest version.

Product

Component

Affected Versions

Jira Service Management Cloud

Assets Discovery

  • Insight Discovery 1.0 - 3.1.3

  • Assets Discovery 3.1.4 - 3.1.7

  • Assets Discovery 3.1.8-cloud - 3.1.11-cloud

Jira Service Management Data Center and Server

Assets Discovery

  • Insight Discovery 1.0 - 3.1.7

  • Assets Discovery 3.1.9 - 3.1.11

  • Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Fixed Versions

There is no need to upgrade Jira Service Management product, only the Assets Discovery application and agents.

Product

Component

Fixed Versions

Jira Service Management Cloud

Assets Discovery

  • Assets Discovery 3.2.0-cloud or later

Jira Service Management Data Center and Server

Assets Discovery

  • Assets Discovery 6.2.0 or later

What You Need To Do

  1. Uninstall Assets Discovery agents

  2. Apply the Assets Discovery application patch

  3. Reinstall Assets Discovery agents

Uninstalling the Assets Discovery agents is the most effective way to mitigate risk. Once the agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and reinstall the Assets Discovery agents.

NOTE: Customers who do not currently use agents but may wish to in the future, must also apply the latest fixed version of the Assets Discovery application before installing agents.

What if I can’t immediately uninstall the agents?

We strongly recommend uninstalling the Assets Discovery agents as it is the most effective way to protect your data, and customers will need to follow all of the instructions above before using Assets Discovery agents again.

However, if you cannot immediately uninstall the Assets Discovery agents, customers may block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents. Please see the FAQ for additional information.

Frequently Asked Questions

More details can be found on the Frequently Asked Questions (FAQ) page.

Support

If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ .

References

Security Bug Fix Policy

As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.

Security Levels for Security Issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to our EOL Policy for details.



Last modified on Dec 11, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.