Jira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected
Atlassian has addressed a hardcoded credential flaw in Questions for Confluence and servlet filter bypasses in multiple other products.
The Australian vendor of software development and collaboration tools issued security advisories with instructions for applying updates and mitigations yesterday (July 20).
Servlet filter bypasses
The servlet filter bypass flaws affect multiple versions of Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Fisheye and Crucible, Jira Server and Data Center, and Jira Service Management Server and Data Center.
Fixes have been deployed to Atlassian Cloud sites.
Servlet filters intercept and process HTTP requests before a client request is sent to a backend resource, and from a backend resource before they’re sent to a client.
A vulnerability tracked as CVE-2022-26136 allowed an unauthenticated attacker to bypass servlet filters used by as-yet unspecified first- and third-party apps.
The impact depends on which filters an app uses and how they are used, said Atlassian.
“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences,” reads the security advisory.
Atlassian has ascertained that unauthenticated attackers could send a specially crafted HTTP request to bypass custom servlet filters and authentication used by third party apps to enforce authentication, or to bypass the servlet filter used to validate legitimate Atlassian Gadgets and achieve cross-site scripting (XSS).
Another vulnerability allows an unauthenticated attacker to cause additional servlet filters to be invoked when the application processes requests or responses (CVE-2022-26137).
Atlassian said it has addressed the only known, related security issue – a cross-origin resource sharing (CORS) bypass whereby a specially crafted HTTP request could invoke the servlet filter used to respond to CORS requests.
Questions for Confluence
The hardcoded credential in Questions for Confluence, a forum-style app for enterprise wiki platform Confluence, is created for a user account with the username disabledsystemuser, which supports administrators in migrating data from the app to Confluence Cloud.
The disabledsystemuser account “is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default”, reads the corresponding security advisory.
“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.”
“While Atlassian has not received any reports of this issue being exploited in the wild, the hardcoded password is trivial to obtain,” said Atlassian.
The flaw (CVE-2022-26138) applies when the Questions for Confluence app is enabled on Confluence Server or Data Center. Confluence Cloud is unaffected.
Atlassian has warned that uninstalling the Questions for Confluence app does not alone remediate the vulnerability, since doing do fails to remove the disabledsystemuser account.
Instead, users must either manually deactivate or delete these accounts or update Questions for Confluence to version 2.7.38 or 3.0.5, which removes as well as stops creating the user account in question.
Users can determine whether the flaw has been exploited on their instance by reviewing users’ last logon times. “If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it,” said Atlassian.