Loading...

XML

Word

Printable

Details

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Highest
Fix Version/s: Discovery 3.2.0
Affects Version/s: Discovery 1.0-3.1.7, Discovery 3.1.8, Discovery 3.1.9, Discovery 3.1.10, Discovery 3.1.11
Component/s: Assets Discovery
Labels:
None

Symptom Severity:
Severity 1 - Critical
CVSS Score:
9.8
CVE ID:
CVE-2023-22523
Vulnerability Classes:

RCE (Remote Code Execution)
Advisory URL:
https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html

Description

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. See “What You Need To Do” for detailed instructions.

Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

Read more about Assets Discovery agents here: https://support.atlassian.com/jira-service-management-cloud/docs/what-are-asset-discovery-agents https://support.atlassian.com/jira-service-management-cloud/docs/install-asset-discovery-agents/

Affected Versions

This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 Data Center and server Atlassian recommends patching to the latest version.

Product	Component	Affected Versions
Jira Service Management Cloud	Assets Discovery	Insight Discovery 1.0 - 3.1.3 Assets Discovery 3.1.4 - 3.1.7 Assets Discovery 3.1.8-cloud - 3.1.11-cloud
Jira Service Management Data Center and Server	Assets Discovery	Insight Discovery 1.0 - 3.1.7 Assets Discovery 3.1.9 - 3.1.11 Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Fixed Versions

There is no need to upgrade Jira Service Management product, only the Assets Discovery application and agents.

Product	Component	Fixed Versions
Jira Service Management Cloud	Assets Discovery	Assets Discovery 3.2.0-cloud or later
Jira Service Management Data Center and Server	Assets Discovery	Assets Discovery 6.2.0 or later

What You Need To Do

1. Uninstall Assets Discovery agents

2. Apply the Assets Discovery application patch

3. Re-install agents

Uninstalling the Assets Discovery agents is the quickest and safest way to mitigate risk. Once the agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and re-install the Assets Discovery agents.

NOTE: Customers who do not currently use agents but may wish to in the future, must also apply the latest fixed version of the Assets Discovery application before installing agents.

What if I can’t immediately uninstall the agents?

Uninstalling the Assets Discovery agents is the most effective way to protect your data, and customers will need to follow all of the instructions above before using Assets Discovery agents again.

However, if you cannot immediately uninstall the Assets Discovery agents, customers may block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents. Please see the FAQ for additional information.

Frequently Asked Questions

More details can be found on the Frequently Asked Questions (FAQ) page.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Zakhar Listiev

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 05/Dec/2023 7:19 AM

Updated:: 17/Jan/2024 6:58 PM

Resolved:: 06/Dec/2023 5:16 AM

RCE Vulnerability in Assets Discovery - CVE-2023-22523