Sicherheitsupdates: Atlassian Bitbucket, Confluence & Co. attackierbar

Atlassian Bamboo, Bitbucket, Confluence and Crowd Data Center and Server are vulnerable, they contain vulnerabilities. Security patches close several software vulnerabilities. Admins should act promptly.

DoS vulnerabilities

A warning message from Atlassian indicates that all the vulnerabilities that have now been closed (CVE-2024-34750, CVE-2024-32007, CVE-2024-29857, CVE-2024-22871) are classified as"high". Attackers can use these vulnerabilities for DoS attacks. If such an attack succeeds, software usually crashes and services are therefore unavailable.

In these cases, attackers have to send prepared HTTP requests, for example, so that errors and ultimately crashes occur. It is not yet clear whether there are already attacks. Unfortunately, Atlassian does not list any parameters by which admins can recognize systems that have already been attacked.

Admins can read about the specific issues that are under threat in the warning message. To protect PCs, they must install the following versions:

• Bamboo Data Center and Server 9.2.17 to 9.2.18 (LTS), 9.6.4 to 9.6.6 (LTS) (Data Center only recommended), 10.0.0 to 10.0.1 (Data Center only)
• Bitbucket Data Center and Server 8.9.19 (LTS), 8.19.9 (LTS) (only Data Center recommended), 9.0.0 to 9.0.1 (only Data Center)
• Confluence Data Center and Server 7.19.26 (LTS), 8.5.12 to 8.5.15 (LTS), 8.9.4 to 8.9.6 (Data Center only), 9.0.1 to 9.0.3 (Data Center only)
• Crowd Data Center and Server 5.2.6 to 5.2.8, 5.3.2 to 5.3.4 (Data Center only)

Atlassian would like to point out that the security updates will not be released for versions that are no longer supported. In this case, attackers must upgrade to a supported version.

A month ago, Atlassian also released updates for numerous products. They closed security gaps in Bambo, Confluence and Jira, for example, which were considered high risk.

(des)