Overview
Recently, NSFOCUS CERT has detected that Atlassian has officially released a security bulletin, which has fixed several high-risk vulnerabilities in Atlassian products, and relevant users are requested to take measures to protect them.
Arbitrary Servlet Filter Bypass Vulnerability (CVE-2022-26136):
Vulnerabilities in multiple Atlassian products allow unauthenticated remote attackers to bypass servlet filters used by first- and third-party applications. The specific impact depends on the type of filters used by the application and how they are used. This vulnerability could lead to authentication bypass and XSS, as follows:
A flaw in the Atlassian servlet filter can cause an authentication bypass, where an unauthenticated remote attacker can bypass custom servlet filters used in third-party applications by sending a specially crafted HTTP request.
Flaws in Atlassian Servlet Filter can also cause XSS vulnerabilities, which can lead to XSS vulnerabilities by sending a specially crafted HTTP request by an unauthenticated remote attacker that can bypass the servlet filter used to verify legitimate Atlassian Gadget. Attackers can induce users to click malicious URLs and finally execute Javascript code arbitrarily in the user’s browser.
Servlet Filter Invocation Vulnerability (CVE-2022-26137):
Servlet filter invocation vulnerabilities exist in several Atlassian products. Unauthenticated remote attackers will invoke additional servlet filters when processing requests or responders. Attackers can send specially crafted HTTP requests to achieve cross-domain resource sharing. (CORS) bypass. Attackers can induce users to click on malicious URLs and eventually gain access to the affected application with victim privileges.
Atlassian Confluence Hardcoded Vulnerability (CVE-2022-26138):
When the Questions for Confluence app on Confluence Server or Data Center is enabled, it creates a Confluence user account called disabledsystemuser. This account is designed to help migrate data from the application to the Confluence Cloud administrator account. This account is created with a hardcoded password and added to the confluence-users group, which by default allows viewing and editing of all unrestricted pages in Confluence. An unauthenticated attacker can log into Confluence with a hardcoded password known to the group and access all pages that the group has permission to access.
Reference link:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
Scope of Impact
Affected version
CVE-2022-26136/CVE-2022-26137
Bamboo Server and Data Center:
- Bamboo Server and Data Center < V7.2.9
- V8.0.0 <= Bamboo Server and Data Center < V8.0.9
- V8.1.0 <= Bamboo Server and Data Center < V8.1.8
- V8.2.0 <= Bamboo Server and Data Center < V8.2.4
Bitbucket Server and Data Center:
- Bitbucket Server and Data Center < V7.6.16
- Bitbucket Server and Data Center V7.7.x-V7.16.x All versions
- V7.17.0 <= Bitbucket Server and Data Center < V7.17.8
- Bitbucket Server and Data Center V7.18.x All versions
- V7.19.0 <= Bitbucket Server and Data Center < V7.19.5
- V7.20.0 <= Bitbucket Server and Data Center < V7.20.2
- V7.21.0 <= Bitbucket Server and Data Center V7.21.2
- Bitbucket Server and Data Center V8.0.0
- Bitbucket Server and Data Center V8.1.0
Confluence Server and Data Center:
- Confluence Server and Data Center < V7.4.17
- Confluence Server and Data Center V7.5.x-V7.12.x All versions
- V7.13.0 <= Confluence Server and Data Center < V7.13.7
- V7.14.0 <= Confluence Server and Data Center V7.14.3
- V7.15.0 <= Confluence Server and Data Center V7.15.2
- V7.16.0 <= Confluence Server and Data Center V7.16.4
- V7.17.0 <= Confluence Server and Data Center V7.17.4
- Confluence Server and Data Center V7.18.0
Crowd Server and Data Center:
- Crowd Server and Data Center < V4.3.8
- V4.4.0 <= Crowd Server and Data Center < V4.4.2
- Crowd Server and Data Center V5.0.0
Crucible:
- Crucible < V4.8.10
Fisheye:
- Fisheye < V4.8.10
Jira Server and Data Center:
- Jira Server and Data Center < V8.13.22
- Jira Server and Data Center V8.14.x-V8.19.x All versions
- V8.20.0 <= Jira Server and Data Center < V8.20.10
- Jira Server and Data Center V8.21.x All versions
- V8.22.0 <= Jira Server and Data Center < V8.22.4
Jira Service Management Server and Data Center:
- Jira Service Management Server and Data Center < V4.13.22
- Jira Service Management Server and Data Center V4.14.x-V4.19.x All versions
- V4.20.0 <= Jira Service Management Server and Data Center < V4.20.10
- Jira Service Management Server and Data Center V4.21.x All versions
- V4.22.0 <= Jira Service Management Server and Data Center < V4.22.4
CVE-2022-26138
- Confluence V2.7.34
- Confluence V2.7.35
- Confluence V3.0.2
Unaffected version
Bamboo Server and Data Center:
- Bamboo Server and Data Center >= 7.2.9
- Bamboo Server and Data Center >= 8.0.9
- Bamboo Server and Data Center >= 8.1.8
- Bamboo Server and Data Center >= 8.2.4
- Bamboo Server and Data Center >= 9.0.0
Bitbucket Server and Data Center:
- Bitbucket Server and Data Center >= 7.6.16 (LTS)
- Bitbucket Server and Data Center >= 7.17.8 (LTS)
- Bitbucket Server and Data Center >= 7.19.5
- Bitbucket Server and Data Center >= 7.20.2
- Bitbucket Server and Data Center >= 7.21.2 (LTS)
- Bitbucket Server and Data Center >= 8.0.1
- Bitbucket Server and Data Center >= 8.1.1
- Bitbucket Server and Data Center >= 8.2.0
Confluence Server and Data Center:
- Confluence Server and Data Center >= 7.4.17 (LTS)
- Confluence Server and Data Center >= 7.13.7 (LTS)
- Confluence Server and Data Center >= 7.14.3
- Confluence Server and Data Center >= 7.15.2
- Confluence Server and Data Center >= 7.16.4
- Confluence Server and Data Center >= 7.17.4
- Confluence Server and Data Center >= 7.18.1
Crowd Server and Data Center:
- Crowd Server and Data Center >= 4.3.8
- Crowd Server and Data Center >= 4.4.2
- Crowd Server and Data Center >= 5.0.1
Crucible:
- Crucible >= 4.8.10
Fisheye:
- Fisheye >= 4.8.10
Jira Server and Data Center:
- Jira Server and Data Center >= 8.13.22 (LTS)
- Jira Server and Data Center >= 8.20.10 (LTS)
- Jira Server and Data Center >= 8.22.4
Jira Service Management Server and Data Center:
- Jira Service Management Server and Data Center >= 4.13.22 (LTS)
- Jira Service Management Server and Data Center >= 4.20.10 (LTS)
- Jira Service Management Server and Data Center >= 4.22.4
Confluence:
- Confluence >= 2.7.38 (Compatible with Confluence 6.13.18 to 7.16.2)
- Confluence >= 3.0.5 (Compatible with Confluence 7.16.3 and higher version)
Mitigation
Official upgrade
At present, the official has fixed the vulnerability in the latest version, and affected users are requested to upgrade the version as soon as possible for protection. The official download link is as follows:
Affected Products | Safe version link |
Bamboo Server and Data Center | https://www.atlassian.com/software/bamboo/download |
Bitbucket Server and Data Center | https://www.atlassian.com/software/bitbucket/download-archives |
Confluence Server and Data Center | https://www.atlassian.com/software/confluence/download-archives |
Crowd | https://www.atlassian.com/software/crowd/download/data-center |
Crucible | https://www.atlassian.com/software/crucible/download |
Fisheye | https://www.atlassian.com/software/fisheye/download |
Jira Service Management Server and Data Center | https://www.atlassian.com/software/jira/service-management/download-archives |
Jira Software Server and Data Center | https://www.atlassian.com/software/jira/download-archives |
Confluence | https://confluence.atlassian.com/upm/updating-apps-273875710.html |
Temporary mitigation
If the relevant users are temporarily unable to perform the upgrade operation, for the Atlassian Confluence hard-coded vulnerability (CVE-2022-26138), the problem can be mitigated by disabling or deleting the disabledsystemuser account. For specific operation steps, please refer to the link: https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.