Atlassian Releases Critical Security Updates for Multiple Products

Critical vulnerabilities include use of hard-coded credentials, authentication bypass, and cross-site scripting

Threat ID:: CC-4132
Threat Severity:: Medium
Published:: 21 July 2022 12:41 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical vulnerabilities include use of hard-coded credentials, authentication bypass, and cross-site scripting

Affected platforms

The following platforms are known to be affected:

Atlassian Bitbucket Data Center

Includes Bitbucket Server

Versions: all supported

Atlassian Confluence Server

Versions: all supported

Atlassian Confluence Data Center

Altassian Jira

Includes Jira Server and Data Center

Atlassian Jira Service Management

Includes Jira Service Management Server and Data Center

Versions: 2.7.34, 2.7.35, 3.0.2

Atlassian Questions for Confluence App

The following platforms are also known to be affected:

Bamboo Server and Data Center
Crowd Server and Data Center
Fisheye and Crucible

Threat details

Exploitation in the wild for CVE-2022-26138

The hard-coded password necessary to exploit CVE-2022-26138 was disclosed on Twitter. Attackers have been exploiting this issue in the wild.

Affected organisations who have not already reviewed the advisory Questions For Confluence Security Advisory 2022-07-20 and applied updates or mitigations are urged to do as a matter of urgency.

Introduction

Atlassian has released advisories that address critical vulnerabilities in multiple products. Fourteen products are affected by CVE-2022-26136 and CVE-2022-26137, which relate to authentication bypass, cross-site scripting, and cross-origin resource sharing (CORS) bypass. The last vulnerability, known as CVE-2022-26138, concerns the use of hard-coded credentials within the Questions for Confluence app.

A remote, unauthenticated attacker could exploit some of these vulnerabilities to take control of the system.

Remediation advice

Affected organisations are encouraged to review the Atlassian July 2022: Atlassian Security Advisories Overview and apply the relevant updates.

Remediation steps

Type	Step
Patch	Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 Note: Atlassian Cloud sites are not affected because fixes have already been deployed to them. If your Atlassian site is accessed via a bitbucket.org or an atlassian.net domain, it is an Atlassian Cloud site. Affected products: Bamboo Server and Data Center Bitbucket Server and Data Center Confluence Server and Data Center Crowd Server and Data Center Crucible Fisheye Jira Server and Data Center Jira Service Management Server and Data Center https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html
Patch	Questions For Confluence Security Advisory 2022-07-20 - CVE-2022-26138 Affected products: Questions For Confluence app relating to Confluence Server Questions For Confluence app relating to Confluence Data Center https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html

Type

Step

Patch

Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137

Note: Atlassian Cloud sites are not affected because fixes have already been deployed to them. If your Atlassian site is accessed via a bitbucket.org or an atlassian.net domain, it is an Atlassian Cloud site.

Affected products:

Bamboo Server and Data Center
Bitbucket Server and Data Center
Confluence Server and Data Center
Crowd Server and Data Center
Crucible
Fisheye
Jira Server and Data Center
Jira Service Management Server and Data Center

https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html

Patch

Questions For Confluence Security Advisory 2022-07-20 - CVE-2022-26138

Affected products:

Questions For Confluence app relating to Confluence Server
Questions For Confluence app relating to Confluence Data Center

https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-26136

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Status Published

CVE-2022-26137

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Status Published

CVE-2022-26138

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Last edited: 29 July 2022 1:40 pm