CVE-2023-22523: RCE Vulnerability in Assets Discovery - CVE-2023-22523

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. See “What You Need To Do” for detailed instructions.

Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

Affected Versions

This vulnerability affects all versions prior to Assets Discovery 3.2.0-cloud / 6.2.0 Data Center and server Atlassian recommends patching to the latest version.

Product

Component

Affected Versions

Jira Service Management Cloud

Assets Discovery

• Insight Discovery 1.0 - 3.1.3
• Assets Discovery 3.1.4 - 3.1.7
• Assets Discovery 3.1.8-cloud - 3.1.11-cloud

Jira Service Management Data Center and Server

Assets Discovery

• Insight Discovery 1.0 - 3.1.7
• Assets Discovery 3.1.9 - 3.1.11
• Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Fixed Versions

There is no need to upgrade Jira Service Management product, only the Assets Discovery application and agents.

Product

Component

Fixed Versions

Jira Service Management Cloud

Assets Discovery

• Assets Discovery 3.2.0-cloud or later

Jira Service Management Data Center and Server

Assets Discovery

• Assets Discovery 6.2.0 or later

What You Need To Do****1. Uninstall Assets Discovery agents****2. Apply the Assets Discovery application patch****3. Re-install agents

Uninstalling the Assets Discovery agents is the quickest and safest way to mitigate risk. Once the agent(s) are uninstalled, you can apply the latest fixed version of the Assets Discovery application and re-install the Assets Discovery agents.

NOTE: Customers who do not currently use agents but may wish to in the future, must also apply the latest fixed version of the Assets Discovery application before installing agents.

What if I can’t immediately uninstall the agents?

Uninstalling the Assets Discovery agents is the most effective way to protect your data, and customers will need to follow all of the instructions above before using Assets Discovery agents again.

However, if you cannot immediately uninstall the Assets Discovery agents, customers may block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents. Please see the FAQ for additional information.

Frequently Asked Questions

• More details can be found on the Frequently Asked Questions (FAQ) page.