Critical security flaws discovered at software vendor

Two critical flaws affecting major Atlassian products could put customer security at risk, the software company has warned. This is the second major vulnerability Atlassian has discovered in six weeks and the vendor says it “cannot guarantee it won’t have to issue advisories in the near future” as it attempts to get to the root of the problems.

Published in the firm’s July security advisory, the pair of “Servlet Filter dispatcher vulnerabilities” allow attackers to use crafted HTTP requests to bypass, manipulate or invoke Servlet Filters, which can be used to authenticate users.

Atlassian produces productivity tools for businesses, and says it has 180,000 customers around the world, with more than 10 million monthly active users. It also claims that 83% of Fortune 500 companies use at least one of its products.

Atlassian vulnerabilities: how do they affect systems?

Software affected by the newly discovered vulnerabilities includes Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira, and Atlassian says more of its products could also be impacted as it has yet to map the full consequences of the problems.

It has issued fixes to cloud services where its software is deployed, and updates are available for older versions of its products impacted by the flaws.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it said in a statement.

The first of the flaws, CVE-2022-26136, allows an attacker to send a crafted HTTP address that lets it bypass custom Servlet Filters. Atlassian explained in its note: “The impact depends on which filters are used by each app, and how the filters are used.”

The same flaw can also be used in a cross-site scripting attack. This is where another HTTP request can be used to trick a user who thinks they are requesting a legitimate Atlassian service into requesting a malicious URL to execute arbitrary JavaScript in their browser.

Content from our partners

The other vulnerability, known as CVE-2022-26137, is also found in multiple Atlassian products and allows remote, unauthenticated attacks to cause additional Servlet Filters to be invoked any time the application processes makes a request or response. “An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions,” the company said.

Atlassian says it has confirmed and fixed the known security issues associated with these vulnerabilities, but couldn’t determine a full list of affected apps.

Atlassian vulnerabilities: more advisories could be on the way.

Atlassian considers the vulnerabilities severe because they affect the code included with each product, so systems are still impacted even if they don’t have any third-party apps installed. The company says it can’t confirm if a system has been compromised so customers will need to look to their own security teams to conduct further investigations.

For businesses using Atlassian products, the vendor “recommends checking the integrity of the application filesystem, for example, comparison of artefacts in their current state with recent back-ups to see if there are any unexpected differences.

“All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files – such as syslogs, audit logs, access logs etc. – depending on the component that has been compromised,” it says.

Atlassian adds that it continues to investigate the problems but “cannot guarantee that there will be no further advisories in the near future”.

This latest security update comes just weeks after another critical flaw within Confluence, Atlassian’s secure collaboration software, was revealed. Powerful botnet Dark IoT was among those taking advantage of the problem. A similar flaw was also discovered – and patched – last year.

Read more: How AI will extend the scale – and sophistication – of cybercrime