Select Page

Confluence CVE-2024-22257 – Improper Authorization Corrective Action

Jun 19, 2024 | Atlassian, Solving Problems

KithSolvingProblems

Confluence CVE-2024-22257 Impact and Mitigation Steps:

    • Severity: The critical vulnerability in Atlassian Confluence is classified as “HIGH”
    • Versions Impacted:
      • 8.9.0 to 8.9.2
      • 8.8.0 to 8.8.1
      • 8.7.1 to 8.7.2
      • 8.6.0 to 8.6.2
      • 8.5.0 to 8.5.10 (LTS)
      • 8.4.0 to 8.4.5
      • 8.3.0 to 8.3.4
      • 8.2.0 to 8.2.3
      • 8.1.0 to 8.1.4
      • 8.0.0 to 8.0.4
      • 7.20.0 to 7.20.3
      • 7.19.0 to 7.19.23 (LTS)
    • Vulnerability Type: Public Security Vulnerability
    • CVE Identifier: The specific vulnerability is tracked as CVE-2024-22257
    • CVSS Score: Atlassian assigned a CVSS score of 8.2 to this vulnerability, highlighting its severity. 
    • This vulnerability In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possibly vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Recommended Actions:

Atlassian recommends that Jira Software Data Center and Server customers upgrade to one of the fix versions listed below

    • Fixed versions
      • 8.9.3 Data Center Only
      • 8.5.11 (LTS) recommended
      • 7.19.24 (LTS)

Standard Manual Upgrade Steps:

    • Notify users of outage for critical hotfixing
    • Stop services across all nodes
    • Backup existing database and shared home prior to upgrade
    • Make copies of the setenv.sh and server.xml found in the application install directories bin & conf (these hold critical settings we want to propogate again post upgrade
    • Download the hotfix from the Atlassian archives
    • Apply the upgrade, do not auto-start services
    • Copy back the setenv.sh, server.xml, and any other customized files you had to copy during the upgrade process
    • Restart services and perform smoke testing once Confluence is available

 

Conclusion:

The advisory regarding Spring Security vulnerability, CVE-2024-22257, in Atlassian Confluence with a CVSS score of 8.2 , poses a significant threat, allowing unauthenticated attackers to potentially compromise Confluence instances. 

To safeguard their systems and prevent the potential leakage of sensitive information and malicious attacks, all exposed customers are recommended to upgrade to one of the fixed versions listed as soon as possible.

    Here is the notice from the National Vulnerability Database

    Link to Atlassian ticket can be found here. 

    Thanks for visiting, if you need assistance patching this vulnerability check out our Atlassian Services!