CVE-2023-22523: Critical RCE Vulnerability in Assets Discovery

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2023-22523 (CVSS score of 9.8), has been discovered in Assets Discovery. This vulnerability allows an attacker to execute arbitrary code on an affected machine with the Assets Discovery agent installed. All versions of Assets Discovery before 3.2.0-cloud / 6.2.0 data center and server are vulnerable.

Assets Discovery is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

This vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. It allows an attacker to perform privileged RCE on an affected machine.

This vulnerability affects all versions of Assets Discovery before 3.2.0-cloud / 6.2.0 data center and server.

Atlassian strongly recommends that all affected Assets Discovery instances be patched to the latest version.

How to Patch

1. Uninstall Assets Discovery agents.
2. Apply the Assets Discovery application patch.
3. Reinstall Assets Discovery agents.

What if I can’t immediately uninstall the agents?

If you cannot immediately uninstall the Assets Discovery agents, you can block the port used for communication with agents (the default port is 51337). This temporary mitigation is not a replacement for uninstalling the agents.

The CVE-2023-22523 vulnerability poses a significant security risk and should be addressed immediately. Atlassian provides detailed patching instructions and mitigation measures in its security advisory.