Mar 21, 2024NewsroomDatabase / Vulnerability

Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.

Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.

Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.

“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction,” Atlassian said.

According to a description of the flaw in the NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE.” The driver versions prior to the ones listed below are impacted –

• 42.7.2
• 42.6.1
• 42.5.5
• 42.4.4
• 42.3.9, and
• 42.2.28 (also fixed in 42.2.28.jre7)

“SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value,” the maintainters said in an advisory last month.

“There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.”

The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –

• 8.2.1
• 9.0.0
• 9.1.0
• 9.2.1
• 9.3.0
• 9.4.0, and
• 9.5.0

The company also emphasized that Bamboo and other Atlassian Data Center products are unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.

Jan 17, 2024NewsroomVulnerability / Cyber Threat

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.

The flaws are listed below –

• CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
• CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)

The following customer-managed versions of NetScaler ADC and NetScaler Gateway are impacted by the shortcomings –

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.176
• NetScaler ADC 12.1-FIPS before 12.1-55.302, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.302

“Exploits of these CVEs on unmitigated appliances have been observed,” Citrix said, without sharing any additional specifics. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws.

It’s also advised to not expose the management interface to the internet to reduce the risk of exploitation.

In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

VMware Fixes Critical Aria Automation Flaw

The disclosure comes as VMware alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.

The issue has been assigned the CVE identifier CVE-2023-34063 (CVSS score: 9.9), with the Broadcom-owned virtualization services provider describing it as a “missing access control” flaw.

Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team has been credited with discovering and reporting the security vulnerability.

The versions impacted by the vulnerability are provided below –

“The only supported upgrade path after applying the patch is to version 8.16,” VMware said. “If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”

Atlassian Discloses Critical Code Execution Bug

The development also follows Atlassian’s release of patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting Confluence Data Center and Confluence Server.

The vulnerability, CVE-2023-22527, has been assigned a CVSS score of 10.0, indicating maximum severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It’s worth noting that 7.19.x LTS versions are not affected by the vulnerability.

“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version,” the Australian company said.

The issue has been addressed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users who are on out-of-date instances are recommended to update their installations to the latest version available.