20240321 - Atlassian Confluence Security Bulletin Analysis March 2024 Vulnerability with a focus on CVE-2024-1597

Date: March 19, 2024
CVE: CVE-2024-1597
Sources: Atlassian Documentation, SecurityWeek, CISA

Issue Summary

A recent security bulletin released by Atlassian on March 19, 2024, addresses a significant vulnerability in Confluence, a widely used collaboration tool. This issue poses a potential risk for unauthorized access and control by attackers, leading to data breaches and system compromise.

Most notable is CVE-2024-1597, a critical vulnerability in a non-Atlassian Bamboo dependency. Here the PostgreSQL JDBC Driver, also known as PgJDBC, faces a critical SQL Injection vulnerability, particularly when configured in PreferQueryMode=SIMPLE. This configuration is not the default setting, but if used, it opens up potential for SQL injection attacks. This vulnerability exists due to the manipulation of numeric and string placeholders in SQL queries, allowing attackers to modify the SQL execution logic and inject malicious SQL code.

|Product & Release Notes|Affected Versions|Fixed Versions|Vulnerability Summary|CVE ID|CVSS Severity|
|---|---|---|---|---|---|
|Bamboo Data Center and Server|- 9.5.0 to 9.5.1
- 9.4.0 to 9.4.3
- 9.3.0 to 9.3.6
- 9.2.0 to 9.2.11 (LTS)
- 9.1.0 to 9.1.3

- 9.0.0 to 9.0.4

- 8.2.0 to 8.2.9

- Any earlier versions|- 9.6.0 (LTS) or 9.5.2 recommended Data Center Only
- 9.4.4
- 9.2.12 (LTS)|SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bamboo Data Center and Server


NOTE: CVE-2024-1597 is a critical vulnerability in a non-Atlassian Bamboo dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory.|CVE-2024-1597|10.0 Critical|

Technical Key findings

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Vulnerable products

All versions of PgJDBC before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are vulnerable to this SQL injection attack. For Bamboo Data Center and Server this dependicy is used in;

• 9.5.0 to 9.5.1
• 9.4.0 to 9.4.3
• 9.3.0 to 9.3.6
• 9.2.0 to 9.2.11 (LTS)
• 9.1.0 to 9.1.3
• 9.0.0 to 9.0.4
• 8.2.0 to 8.2.9
• Any earlier versions

However, Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

Impact assessment

The impact of exploiting CVE-2024-1597 is severe and includes:

• Unauthorized data exposure, including sensitive customer information and business secrets.
• Data manipulation, potentially leading to disrupted operations and diminished trust.
• In extreme cases, attackers could gain complete control over the affected database.

Patches or workaround

Atlassian has released updates for Confluence Server and Data Center that address this vulnerability. Users are advised to update their installations to the fixed version (9.6.0 (LTS) or 9.5.2 recommended Data Center Only 9.4.4 9.2.12 (LTS)) as soon as possible.

Tags

#Atlassian #Confluence #Cybersecurity #Vulnerability #PatchUpdate #CVE-2024-1597 #pgjdbc #SQLInjection #PostgreSQL #SecurityVulnerability