Select Page

Crowd Data Center and Server Advisory – CVE-2023-46589

Jan 22, 2024 | Atlassian, Solving Problems

KithSolvingProblems

Description and Immediate Mitigation Steps

Vulnerability Information:

    • Severity: The critical vulnerability in Atlassian Confluence is classified as “High”
    • Versions Impacted: 7.198.08.18.28.38.48.58.68.7.1
    • Vulnerability Type: High severity org.apache.tomcat:tomcat-catalina Dependency vulnerability in Apache Tomcat.
    • CVE Identifier: The specific vulnerability is tracked as CVE-2023-46589 .
    • CVSS Score: Atlassian assigned a High 7.5 vulnerability, highlighting its severity. Posibility of request smuggling when behind a reverse proxy

Affected Versions:

    • Affected Versions: Introduced in all versions of Crowd Data Center and Server before 5.0.10, 5.1.8, and 5.2.3.

Recommended Actions:

    • Crowd Data Center and Server customers should upgrade to the latest version.
    • Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
    • If unable to upgrade to the latest version, upgrade to one of the specified supported fixed versions based on your current version:
      • Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.3.
      • Crowd Data Center and Server 5.1: Upgrade to a release greater than or equal to 5.1.8.
      • Crowd Data Center and Server 5.0: Upgrade to a release greater than or equal to 5.0.10.
      • Older Crowd Data Center and Server versions: Upgrade to the newest release greater than or equal to 5.2.3.

Standard Manual Upgrade Steps:

    • Notify users of outage for critical hotfixing
    • Stop services across all nodes
    • Backup existing database and shared home prior to upgrade
    • Make copies of the setenv.sh and server.xml found in the application install directories bin & conf (these hold critical settings we want to propogate again post upgrade
    • Download the hotfix from the Atlassian archives
    • Apply the upgrade, do not auto-start services
    • Copy back the setenv.sh, server.xml, and any other customized files you had to copy during the upgrade process
    • Restart services and perform smoke testing once Confluence is available

Conclusion:

There is a high-severity vulnerability in the org.apache.tomcat:tomcat-catalina Dependency, affecting Apache Tomcat and introduced in Crowd Data Center and Server versions before 5.0.10, 5.1.8, and 5.2.3. This vulnerability, with a CVSS Score of 7.5, allows unauthenticated attackers to potentially compromise the integrity of your environment.

Atlassian recommends upgrading to the latest version of Crowd Data Center and Server, or if not possible, to specific supported fixed versions based on your current deployment. Additionally, Apache Tomcat users should upgrade to the recommended versions (11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards) to mitigate the associated security risks. These actions are crucial for safeguarding your systems and assets from exploitation.

    Here is the notice from the National Vulnerability Database

    Link to Atlassian ticket can be found here. 

    Thanks for visiting, click here to learn more about out our Atlassian Cloud Services!